Install and Configure OpenID Connect (OIDC) Client for Drupal 9/10 in an AFS-based Virtual Host

Environment

Drupal 9/10 CMS, AFS virtual host

Issue

How to install and configure OpenID Connect (OIDC) client for Drupal 9/10 CMS in an AFS-based virtual host.

IMPORTANT SECURITY NOTE:  Per the Drupal core release cycle, Drupal 9 end-of-life and end of security support was reached on November 1, 2023.  References to Drupal 9 are still retained in this document for now, but no new Drupal sites should be installed based on Drupal 9.x.  Please install new sites based on Drupal 10.  Existing Drupal 9 sites are strongly encouraged to upgrade to Drupal 10 as soon as possible to minimize exposure to any potential security issues with (now unsupported) Drupal 9 in the future.

Before You Begin

  • You will need to obtain OIDC credentials for your site
    • These can be self-provisioned using the OIDC Provisioning and Management (OPaM) tool
    • Provision OIDC service client credentials for your site per the instructions in the following ITS Knowledge Article: How to Provision OIDC Service Client Credentials

Resolution

  • If you are preparing for a NEW installation of Drupal 10 (see security note above regarding Drupal 9), install Drupal per instructions in the ITS Knowledge Article "Install Drupal 9/10 CMS in an AFS-Based Virtual Host" and then return here for the remaining steps in the current article.
  1. Install the openid_connect module using composer, as shown on the Releases page on the module site.  See the instructions in step #4 of the knowledge article "Install Drupal 9/10 CMS in an AFS-Based Virtual Host" to see how to install composer within your {{doc_root}} directory.
cd {{doc_root}}
vendor/bin/composer require 'drupal/openid_connect:^1.4'
  1. Navigate to "Manage → Extend → OpenID Connect", check the check box, and press the "Install" button

 

  1. After the module is installed, configure it by navigating to “Manage → Configuration → OpenID Connect” in the site administrator dashboard
    1. Configure the plugin using the following settings:

Setting Name

Setting Value
Enabled OpenID Connect clients     Generic
Generic:  Client ID ${OIDC_ID}
Generic:  Client secret     ${OIDC_SECRET}
Generic:  Authorization endpoint https://weblogin.umich.edu/idp/profile/oidc/authorize
Generic:  Token endpoint https://weblogin.umich.edu/idp/profile/oidc/token
Generic:  UserInfo endpoint https://weblogin.umich.edu/idp/profile/oidc/userinfo
Override registration settings unchecked
Save user claims on every login checked
OpenID buttons display in user login form {site admin preference}
Advanced:  Automatically connect existing users unchecked
  1. Save the updated settings using the 'Save configuration' button at the bottom of the configuration page

Additional Information

Need additional information or assistance? Contact the ITS Service Center.

Print Article