Environment
Drupal 7 CMS, AFS virtual host
Issue
Configure OIDC-enabled Drupal 7 site to restrict access using MCommunity groups
Resolution
Authorization for access to pages in OIDC-enabled Drupal 9 sites can be managed using the "umichoidc" module.
This Knowledge Base article assumes you have installed and configured Drupal 9 and the "openid_connect" module in the AFS Virtual Web Hosting service via the following instructions:
Please ensure you have followed these documented processes before proceeding.
-
Establish an SSH session to "login.itd.umich.edu", then run the following command to download and unpack the {{release}} in your [drupal doc root directory]
wget -O - 'http://websites.umich.edu/~umweb/downloads/umichoidc-7.x-1.x.tar.gz' | tar -C [drupal doc root directory]/sites/all/modules -xzf -
- Navigate to "Manage → wwsauth", check the check box (under "OTHER") and press the "Save configuration" button. If OpenID Connect has not yet been installed or was not checked it will prompt you to include OpenID Connect and other dependencies. If you see the prompt indicating that "Some required modules must be enabled", press the "Continue" button.
- After installation, permissions settings for the module will need to be configured
- Navigate to "People → PERMISSIONS → Roles", add Roles with names matching MCommunity group names.
- Navigate to "Configuration → OpenID Connect", Check the checkbox next to "Wolverine Web Services", and UNcheck the checkbox next to "Generic".
- Configure the plugin using the following settings:
Setting Name |
Setting Value |
Client ID |
${OIDC_ID} |
Client Secret |
${OIDC_SECRET} |
OIDC managed Roles |
{Select Roles matching the MCommunity groups} |
Override registration settings |
unchecked |
Add to statndard login form |
checked |
Automatically connect existing users |
unchecked |
- Save the updated settings using the 'Save configuration' button at the bottom of the configuration page
- As you add/remove users in the MCommunity group(s), this module will add/remove Drupal roles delineated with a special prefix for the user as they login
- These roles DO NOT sync with MCommunity
- When someone logs in, if they are a member of the corresponding MCommunity group, they will be added to the Drupal role at the time of login
- Expect to maintain membership in the MCommunity group but the Drupal role will likely never reflect more than a snapshot of the MCommunity group membership at any given time
- The membership in the role will only be accurate at any given time for the person who has logged in
Additional Information
Need additional information or assistance? Contact the ITS Service Center.