Five Tips on Integrating a Drupal Site with Shibboleth (at USC)

We recently had the pleasure of working with a client at the University of Southern California -- which happens to be both the greatest university in the world and my alma mater -- to evaluate how best to integrate a Drupal site with USC’s Shibboleth installation.

If you haven’t heard of Shibboleth, it is an open source tool that allows organizations to provide a central authentication solution to third-parties outside of its direct control. Imagine you have a large university where each school -- like the Law School, the Architecture School, the Liberal Arts School, etc. -- are autonomous but everyone uses the same email account managed by a central IT department.

Enter Shibboleth. Using Shibboleth, an organization that manages authentication can allow other folks to leverage that authentication without violating anyone’s privacy and without putting that central authentication system at risk.

In our work to evaluate integrating a Drupal site to USC’s Shibboleth system we identified a few tips that might be helpful for others to integrate these systems:

Tip #1: Dual authentication is supported

You can run a Drupal site where users can either login with a Drupal account or Shibboleth, or provide only Shibboleth login. Dual authentication lets you handle situations where not every user will have a Shibboleth login but might still need access to your site.

Tip #2: Manage authorization carefully

Every Shibboleth user who logs into your Drupal site has a normal local Drupal user account. While Shibboleth provides authentication you still need to manage authorization within your site. Once authenticated for the first time, you will need to decide how you assign rights to the user. You can either do this manually on a per user basis by assigning Drupal roles to new accounts as you see them, or you can create a custom module to assign roles based on some kind of internal logic, such as a known user list or Shibboleth user attributes.

Tip #3: Secure your password reset form

One of the advantages of using Shibboleth for authentication is that once a user loses their central account you don’t have to remove their access to any Shibboleth-integrated device. However, in a default Drupal-Shibboleth integration setup it’s possible for users that have lost their Shibboleth account to bypass your Shibboleth login and gain access to your site.

Here is how this would happen:

1. As a valid Shibboleth account holder they log into your Drupal site. A normal Drupal account is created.
2. After some time, they update their email address in their Drupal account to a personal email address. They still login with their Shibboleth login, but their email is now unrelated to their Shibboleth identity.
3. The user loses their Shibboleth account.
4. The user goes to your Drupal site and uses the password reset form to get an email sent to their personal email with a direct login URL. They have now gained access to your site.

One easy way to address this security issue is to use the User Protect Drupal module. Using this module you can restrict access to the password reset form by a user role.

Tip #4: Ensure you have access to Shibboleth technical expertise

Any server that runs a site that will integrate with Shibboleth does require you to install and configure the Shibboleth service, an operating system level application. While the setup is fairly straight-forward, it does require system administration skills to both setup and manage over time. If the Shibboleth service on your server fails, your site is essentially down for any user that needs to login.

Tip #5: Know where to find help online

USC’s central IT office has some great documentation online to help with Shibboleth:

• USC's Shibboleth install guide
• The Shibboleth application
• Summary listing of available attributes
• Partial dictionary of Shibboleth attributes