Install and Configure OpenID Connect (OIDC) Client for Drupal 7 in an AFS-based Virtual Host

Environment

Drupal 7 CMS, AFS virtual host

Issue

How to install and configure OpenID Connect (OIDC) client for Drupal 7 CMS in an AFS-based virtual host

Before You Begin

  • You will need to obtain OIDC credentials for your site
    • These can be self-provisioned using the OIDC Provisioning and Management (OPaM) tool
    • Provision OIDC service client credentials for your site per the instructions in the following ITS Knowledge Article: How to Provision OIDC Service Client Credentials

Resolution

Note: If you are preparing for a NEW installation of Drupal 7, install Drupal per instructions in the ITS Knowledge Article "Install Drupal 7 CMS in an AFS-Based Virtual Host" and then return here for the remaining steps.

  • Install the custom U-M version of the openid_connect module using the wget command below.
    • We have a U-M custom build of the module that must be used in order to configure a correctly functioning OIDC client with Drupal 7
    • You can refer to the public documentation for the openid_connect module, but do not download or install the module from the public documentaiton page
    • You must download and install this custom build as follows:
  1. Establish an SSH session to "umpire.dsc.umich.edu".  You'll need to configure your environment to select the version of PHP you need to use.  For Drupal 7 sites, you'll need to run this command:
source /opt/remi/php73/enable
  1.  Run this command: (Substitute your actual directory name for [drupal doc root directory] !)
wget -O - 'http://websites.umich.edu/~umweb/downloads/openid_connect-7.x-1.0umich.tgz' | tar -C [drupal doc root directory]/sites/all/modules -xzf -

Other modules will need to be installed as they are required dependencies for the OpenID Connect module.  Install the following in a similar manner as above, identifying the latest 7.x release for each and unpacking in the [drupal doc root directory]/sites/all/modules/ directory:

  1. After the modules are installed, enable each (some may have more than one component to enable).  Then enable the OpenID Connect module in the Admin interface.
  2. Press the Save Configuration button at the bottom of the page.  You will be prompted to allow other dependency modules to be enabled as well.
  3. Press Continue to proceed.
  4. Before configuring the OpenID Connect Client module, several steps must be manually run from the command line of a shell terminal session, again on umpire.dsc.umich.edu.  (Be sure to run `source /opt/remi/php73/enable` first if you are in a new shell terminal session.)
cd [drupal doc root directory]
/afs/umich.edu/group/itd/umweb/bin/drush-7.x/drush vset openid_connect_connect_existing_users 1
/afs/umich.edu/group/itd/umweb/bin/drush-7.x/drush php-eval "variable_set('openid_connect_clients_enabled', array('generic'=>'generic'));"
  1. Substitute your OIDC ID and Secret in the following command for "{{OIDC_ID}}" and "{{OIDC_SECRET}}" respectively
/afs/umich.edu/group/itd/umweb/bin/drush-7.x/drush php-eval "variable_set('openid_connect_client_generic', array('client_id'=>'{{OIDC_ID}}','client_secret'=>'{{OIDC_SECRET}}','authorization_endpoint' => 'https://weblogin.umich.edu/idp/profile/oidc/authorize','token_endpoint'=>'https://weblogin.umich.edu/idp/profile/oidc/token','userinfo_endpoint'=>'https://weblogin.umich.edu/idp/profile/oidc/userinfo'));"
  1. Connect to your database:
/afs/umich.edu/group/itd/umweb/bin/drush-7.x/drush sqlc
  1. Change to your database:
use {{your-database-name}};
  1. Execute the following SQL commands, substituting your table prefix (ex. "d7_") for {{table_prefix}}:
UPDATE {{table_prefix}}block SET region = -1, status = 0 WHERE module = 'user' AND delta = 'login' AND theme = 'bartik';
UPDATE {{table_prefix}}block SET region = 'sidebar_first', status = 1 WHERE module = 'openid_connect' AND delta = 'openid_connect_login' AND theme = 'bartik';
  1. Disconnect from your database:
quit;
  1. Clear all caches:
/afs/umich.edu/group/itd/umweb/bin/drush-7.x/drush cc all
  1. Confirm/Update configuration of openid_connect by navigating to “Configuration → Web Services → OpenID Connect” in the site administrator dashboard:
Setting Name Setting Value
Enabled OpenID Connect clients Generic
Client ID ${OIDC_ID}
Client Secret ${OIDC_SECRET}
Authorization Endpoint https://weblogin.umich.edu/idp/profile/oidc/authorize
Token Endpoint https://weblogin.umich.edu/idp/profile/oidc/token
UserInfo Endpoint https://weblogin.umich.edu/idp/profile/oidc/userinfo
Save user claims on every login checked
Fetch user profile picture from login provider {site admin preference}
Automatically connect existing users checked
  1. Save the updated settings via the “Save configuration” button at the bottom of the configuration page
    1. The login button should now say "Log in with Generic" and will log in via the standard U-M Weblogin process

Additional Information

Need additional information or assistance? Contact the ITS Service Center.