Body
Environment
Drupal 9/10 CMS, AFS virtual host
Issue
How to install and configure OpenID Connect (OIDC) client for Drupal 9/10 CMS in an AFS-based virtual host.
IMPORTANT SECURITY NOTE: Per the Drupal core release cycle, Drupal 9 end-of-life and end of security support was reached on November 1, 2023. References to Drupal 9 are still retained in this document for now, but no new Drupal sites should be installed based on Drupal 9.x. Please install new sites based on Drupal 10. Existing Drupal 9 sites are strongly encouraged to upgrade to Drupal 10 as soon as possible to minimize exposure to any potential security issues with (now unsupported) Drupal 9 in the future.
Before You Begin
- You will need to obtain OIDC credentials for your site
- These can be self-provisioned using the OIDC Provisioning and Management (OPaM) tool
- Provision OIDC service client credentials for your site per the instructions in the following ITS Knowledge Article: How to Provision OIDC Service Client Credentials
Resolution
- If you are preparing for a NEW installation of Drupal 10 (see security note above regarding Drupal 9), install Drupal per instructions in the ITS Knowledge Article "Install Drupal 9/10 CMS in an AFS-Based Virtual Host" and then return here for the remaining steps in the current article.
- Install the openid_connect module using composer, as shown on the Releases page on the module site. See the instructions in step #4 of the knowledge article "Install Drupal 9/10 CMS in an AFS-Based Virtual Host" to see how to install composer within your {{doc_root}} directory.
cd {{doc_root}}
vendor/bin/composer require 'drupal/openid_connect:^1.4'
- Navigate to "Manage → Extend → OpenID Connect", check the check box, and press the "Install" button
- After the module is installed, configure it by navigating to “Manage → Configuration → OpenID Connect” in the site administrator dashboard
- Configure the plugin using the following settings:
|
Setting Name
|
Setting Value
|
| Enabled OpenID Connect clients |
Generic |
| Generic: Client ID |
${OIDC_ID} |
| Generic: Client secret |
${OIDC_SECRET} |
| Generic: Authorization endpoint |
https://weblogin.umich.edu/idp/profile/oidc/authorize |
| Generic: Token endpoint |
https://weblogin.umich.edu/idp/profile/oidc/token |
| Generic: UserInfo endpoint |
https://weblogin.umich.edu/idp/profile/oidc/userinfo |
| Override registration settings |
unchecked |
| Save user claims on every login |
checked |
| OpenID buttons display in user login form |
{site admin preference} |
| Advanced: Automatically connect existing users |
unchecked |
- Save the updated settings using the 'Save configuration' button at the bottom of the configuration page
Additional Information
Need additional information or assistance? Contact the ITS Service Center.