Install and Configure OpenID Connect (OIDC) Client for Drupal 7 in an AFS-based Virtual Host

Environment

Drupal 7 CMS, AFS virtual host

Issue

How to install and configure OpenID Connect (OIDC) client for Drupal 7 CMS in an AFS-based virtual host

Before You Begin

  • You will need to obtain OIDC credentials for your site
    • These can be self-provisioned using the OIDC Provisioning and Management (OPaM) tool
    • Provision OIDC service client credentials for your site per the instructions in the following ITS Knowledge Article: How to Provision OIDC Service Client Credentials

Resolution

Note: If you are preparing for a NEW installation of Drupal 7, install Drupal per instructions in the ITS Knowledge Article "Install Drupal 7 CMS in an AFS-Based Virtual Host" and then return here for the remaining steps.

  • Install the openid_connect module using the wget command below.  You must use at least version 7.x-1.2.  Prior releases will not work correctly out of the box.
  1. Establish an SSH session to "umpire.dsc.umich.edu".  You'll need to configure your environment to select the version of PHP you need to use.  For Drupal 7 sites, you'll need to run this command:
source /opt/remi/php73/enable
  1.  Run this command: (Substitute your actual directory name for [drupal doc root directory]  and {{release}} for the actual release version!)
wget -O - 'https://ftp.drupal.org/files/projects/openid_connect-{{release}}.tar.gz' | tar -C [drupal doc root directory]/sites/all/modules -xzf -

Other modules will need to be installed as they are required dependencies for the OpenID Connect module.  Install the following in a similar manner as above, identifying the latest 7.x release for each and unpacking in the [drupal doc root directory]/sites/all/modules/ directory:

  1. After the modules are installed, enable the OpenID Connect module in the Admin interface (under Administration → Modules → OAUTH2).
  2. Press the Save Configuration button at the bottom of the page.  You will be prompted to allow other dependency modules (Chaos tools, Entity API) to be enabled as well.
  3. Press Continue to proceed.
  4. Update configuration of openid_connect by navigating to “Configuration → Web Services → OpenID Connect” in the site administrator dashboard.  Update the configuration based on the table below and save the updated settings via the “Save configuration” button at the bottom of the configuration page.
  5. Setting Name Setting Value
    Enabled OpenID Connect clients Generic
    Client ID ${OIDC_ID}
    Client Secret ${OIDC_SECRET}
    Authorization Endpoint https://weblogin.umich.edu/idp/profile/oidc/authorize
    Token Endpoint https://weblogin.umich.edu/idp/profile/oidc/token
    UserInfo Endpoint https://weblogin.umich.edu/idp/profile/oidc/userinfo
    Save user claims on every login checked
    Fetch user profile picture from login provider {site admin preference}
    Automatically connect existing users checked
  6. To add the "Login with Generic" button, navigate to "Structure → Blocks" and scroll down to the Disabled section.   Find "OpenID Connect login" and change the region setting from "- None -" to "Sidebar first". If you wish to change the block title (default is "Log in"), select "configure" and add a different Block title such as "OpenID Connect Login" and press "Save block".
  7. If you wish to remove the local login block, change the region for "User login" from "Sidebar first" to "- None -".  Press "Save blocks" to apply.

Additional Information

Need additional information or assistance? Contact the ITS Service Center.