Environment
Drupal 7 CMS, AFS virtual host
Issue
How to install and configure OpenID Connect (OIDC) client for Drupal 7 CMS in an AFS-based virtual host
Before You Begin
- You will need to obtain OIDC credentials for your site
- These can be self-provisioned using the OIDC Provisioning and Management (OPaM) tool
- Provision OIDC service client credentials for your site per the instructions in the following ITS Knowledge Article: How to Provision OIDC Service Client Credentials
Resolution
Note: If you are preparing for a NEW installation of Drupal 7, install Drupal per instructions in the ITS Knowledge Article "Install Drupal 7 CMS in an AFS-Based Virtual Host" and then return here for the remaining steps.
- Install the custom U-M version of the openid_connect module using the wget command below.
- We have a U-M custom build of the module that must be used in order to configure a correctly functioning OIDC client with Drupal 7
- You can refer to the public documentation for the openid_connect module, but do not download or install the module from the public documentaiton page
- You must download and install this custom build as follows:
- Establish an SSH session to "umpire.dsc.umich.edu". You'll need to configure your environment to select the version of PHP you need to use. For Drupal 7 sites, you'll need to run this command:
source /opt/remi/php73/enable
- Run this command: (Substitute your actual directory name for [drupal doc root directory] !)
wget -O - 'http://websites.umich.edu/~umweb/downloads/openid_connect-7.x-1.0umich.tgz' | tar -C [drupal doc root directory]/sites/all/modules -xzf -
Other modules will need to be installed as they are required dependencies for the OpenID Connect module. Install the following in a similar manner as above, identifying the latest 7.x release for each and unpacking in the [drupal doc root directory]/sites/all/modules/ directory:
- After the modules are installed, enable each (some may have more than one component to enable). Then enable the OpenID Connect module in the Admin interface.
- Press the Save Configuration button at the bottom of the page. You will be prompted to allow other dependency modules to be enabled as well.
- Press Continue to proceed.
- Before configuring the OpenID Connect Client module, several steps must be manually run from the command line of a shell terminal session, again on umpire.dsc.umich.edu. (Be sure to run `source /opt/remi/php73/enable` first if you are in a new shell terminal session.)
cd [drupal doc root directory]
/afs/umich.edu/group/itd/umweb/bin/drush-7.x/drush vset openid_connect_connect_existing_users 1
/afs/umich.edu/group/itd/umweb/bin/drush-7.x/drush php-eval "variable_set('openid_connect_clients_enabled', array('generic'=>'generic'));"
- Substitute your OIDC ID and Secret in the following command for "{{OIDC_ID}}" and "{{OIDC_SECRET}}" respectively
/afs/umich.edu/group/itd/umweb/bin/drush-7.x/drush php-eval "variable_set('openid_connect_client_generic', array('client_id'=>'{{OIDC_ID}}','client_secret'=>'{{OIDC_SECRET}}','authorization_endpoint' => 'https://weblogin.umich.edu/idp/profile/oidc/authorize','token_endpoint'=>'https://weblogin.umich.edu/idp/profile/oidc/token','userinfo_endpoint'=>'https://weblogin.umich.edu/idp/profile/oidc/userinfo'));"
- Connect to your database:
/afs/umich.edu/group/itd/umweb/bin/drush-7.x/drush sqlc
- Change to your database:
use {{your-database-name}};
- Execute the following SQL commands, substituting your table prefix (ex. "d7_") for {{table_prefix}}:
UPDATE {{table_prefix}}block SET region = -1, status = 0 WHERE module = 'user' AND delta = 'login' AND theme = 'bartik';
UPDATE {{table_prefix}}block SET region = 'sidebar_first', status = 1 WHERE module = 'openid_connect' AND delta = 'openid_connect_login' AND theme = 'bartik';
- Disconnect from your database:
quit;
- Clear all caches:
/afs/umich.edu/group/itd/umweb/bin/drush-7.x/drush cc all
- Confirm/Update configuration of openid_connect by navigating to “Configuration → Web Services → OpenID Connect” in the site administrator dashboard:
Setting Name |
Setting Value |
Enabled OpenID Connect clients |
Generic |
Client ID |
${OIDC_ID} |
Client Secret |
${OIDC_SECRET} |
Authorization Endpoint |
https://weblogin.umich.edu/idp/profile/oidc/authorize |
Token Endpoint |
https://weblogin.umich.edu/idp/profile/oidc/token |
UserInfo Endpoint |
https://weblogin.umich.edu/idp/profile/oidc/userinfo |
Save user claims on every login |
checked |
Fetch user profile picture from login provider |
{site admin preference} |
Automatically connect existing users |
checked |
- Save the updated settings via the “Save configuration” button at the bottom of the configuration page
- The login button should now say "Log in with Generic" and will log in via the standard U-M Weblogin process
Additional Information
Need additional information or assistance? Contact the ITS Service Center.