How to share user information in a Drupal SSO environment
We here at Mearra love a good challenge. Recently, one of our customers asked us to build a service that would enable SSO on 3 different Drupal installations, 2 of which were Drupal 6 and the remaining one, Drupal 7. After a fair bit of researching we selected CAS (Central Authentication Service) as our main weapon. Configured correctly, CAS works beautifully as a standalone solution but we wanted to also share specific information between the sites (things like user avatar, user role(s), custom user fields). As there wasn't any ready made solution available, we decided to make our own.
Thus, CAS_fields was born. It extends the functionality of the CAS module and enables user data sharing between the CAS server and the CAS client.
The installation is as easy as any other drupal module: download the module bundle from drupal.org and enable client/server module, in their respective environments, from the admin interface or by using drush.
Configuring the server
The server configuration is found at "casserverinstallation.domain/admin/config/people/cas/server". The site administrator only needs to set the top level domain of the clients. For example, if your client is reached at "client.example.com", the top level domain will be "example.com". Please note that an empty textfield will lead to all incoming cas requests to be accepted.
Configuring the client
The client configuration can be found at "casclientinstallation.domain/admin/config/people/cas/cas_client" , it follows the same easy pattern as the server configuration and the site administrator does not need much technical knowledge in order to set it up. As one can see in the screenshot below, all settings are exposed and ready to be modified.
The sync always happens on user login, therefore, a user must logout and then log back in for any changes to take effect if the user was logged in when the changes were made.
If set, the following user properties are synced:
- default user fields - this functionality is enabled automatically
- custom user fields - the user chooses which of these custom user fields get synced via the configuration page
- user roles - only the user roles get synced and not the permissions of the specific role(s) . Also, the user role name(s) must be the same for both the client and server installations for the sync to be successful. If the role name(s) are not the same, the sync will disregard the specific role(s)
- user picture - when this functionality is enabled the actual avatar image will be transfered upon sync. By using drupal api function calls, the administrator doesn't need to worry about any file management issues.
The configuration described above has been bundled with a third-party registration system that enabled us to use a number of service for authenticating users, such as Facebook, Google, Linkedin, etc.
The customer was happy with our implementation, thus we are only happy to give back to the community.