Felix Delattre

Omniauth OpenID single sign-on


Context

Bigger organizations may have a whole ecosystem of several online tools (e.g. a main publishing website, an intranet, websites for local chapters, etc). Usually they want their users to only have one login credential and but also the user data to be synchronized between all application.

Description

Development of a Drupal based single sign-on authentication solution based on native OpenID, for the use in relying websites or to set up an authentication server. It also includes an implementation of the Attribute Exchange specs to synchronize user information between provider and relying parties.

The Drupal OpenID-Single-Sign-On solution (Drupal Omniauth) is an easy way to use, but features rich authentication solution for Drupal websites, which can also work with other systems as long as they implement the official OpenID specifications.

Usually, it consists of one (Drupal) provider instance which allows an authentication to an unlimited number of relying parties in one group. This is suitable for big companies, NGOs, and other groups who manage a number of (Drupal and other) websites and want to have one single log-in provider.

Out-of-the-box it synchronizes email address changes on the provider to all relying parties' accounts of this user. Together with more extensive modules, based on OpenID’s official Attribute Exchange specifications it can be configured to synchronize any field on a user (profile) to be synchronized to the OpenID-SSO provider and then back to all relying parties.

Everything was wrapped into a Drupal distribution in order to be easily deployable.