How do I configure Drupal to use Shibboleth?

This tutorial assumes that you already have Shibboleth installed and working on your server and that you are using Drupal 7.

Install and configure Shibboleth authentication module

Download and install the Shibboleth authentication Drupal module, as you would typically install a contributed Drupal module.

Once it is installed, visit Configuration > Shibboleth settings.

General settings

Shibboleth handler settings:

  • Shibboleth login handler URL: /Shibboleth.sso/Login
  • Shibboleth logout handler URL: /Shibboleth.sso/Logout
  • Force HTTPS on login should be checked

Attribute settings:

  • Server variable for username: UID or EPPN
  • Server variable for e-mail address: EPPN

The UID corresponds to the UIC NetID (jqpublic). The EPPN corresponds to UIC email address (jqpublic@uic.edu). Either one can serve as the username. If you plan to enable access to other University of Illinois campuses, or even other institutions using Shibboleth, then using EPPN as the username is recommended, to avoid username collisions.

In the following screenshot, Drupal username will be set to UIC email address.

 screenshot of Shibboleth Handler Settings

Advanced settings

Destroy Drupal session when the Shibboleth session expires should be checked

To make sure that the Shibboleth session is ended when someone clicks on “Log out”, set the URL to redirect to after logout to:

https://shibboleth.uic.edu/idp/cgi-bin/shib-logout.cgi?return=http://foo.uic.edu

Replace foo.uic.edu with your site’s URL.

Webserver configuration

Add the following to the .htaccess file in your site’s web root (at the top or bottom of the file):

AuthType Shibboleth
ShibRequireSession Off
ShibUseHeaders On
require shibboleth

In some cases, another module may interfere with the Shibboleth login path (/Shibboleth.sso/). To resolve this, add the following line before the Rewrite Rule redirecting to index.php:

RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteCond %{REQUEST_URI} !/Shibboleth.sso/.*$ [NC]
RewriteRule ^ index.php [L]

Account provisioning

By default, the Shibboleth Authentication module will auto-provision an account, with the role "authenticated user". The new user account will not have any administrative privileges if you don't assign such privileges to the role "authenticated user".

The account username will depend on your configuration. If you entered UID in the Server variable for username configuration field, then the username will be identical to the person's NetID. If you entered EPPN, then it will be equivalent to the UIC email address.

If you have existing users that use that username, the account will have to be manually linked.

If you want to be able to pre-create accounts, install the Shibboleth User Provisioning Drupal module.

Install and configure User Protect module

If you use single sign-on like Shibboleth, you do not want your users to change their email addresses to create local passwords. User Protect module prevents the users from changing their email address in their Drupal profile.

Optional: Block Cache Alter

If you place the Shibboleth login block on every page of your site, you may experience that after authentication you will be take to a different page, because the block was cached. To address this, use the Block Cache Alter module, and refer to this issue: https://www.drupal.org/node/1497524.

Need help?

Last updated: 

September 20, 2016

Browse by tag