This site requires JavaScript to be enabled
Welcome|
Recent searches
IE BUMPER

EID authentication considerations for Drupal on Pantheon

Number of views : 11
Article Number : KB0014811
Published on : 2019-02-25
Last modified : 2019-02-25 15:43:57
Knowledge Base : IT Public Self Help

PLEASE NOTE: Pantheon does not support restriction of content based on EID's, roles, or affiliations. 

Required Modules

There are two modules included in the Drupal distribution that are required for EID authentication on Pantheon-hosted Drupal sites:

  • SimpleSAMLphp Authentication
  • UTexas SAML Authentication Helper

Please leave these modules enabled, as disabling them may cause EID authentication to work incorrectly or not at all. The codebase also includes the SimpleSAMLphp library in the document root's /private directory. This should not be removed.

Finally, UTLogin integration must be requested, which ITS will assist with. To request this, please email the CMS Hosting Platform team at chp-stewards@utlists.utexas.edu.

Module Options and Configuration

Navigate to Configuration > SimpleSAML php Auth Settings (/admin/config/people/simplesamlphp_auth). The available configuration options are below, with notes:

  • Activate authentication via SimpleSAMLphp. Leave this checked.
  • Installation directory. This is Pantheon environment specific and cannot be changed.
  • Authenticaton source for this SP. This is Pantheon environment specific and cannot be changed.
  • Federated Log In Link Display Name. This text is displayed on /user as a link to the UTLogin URL callback and may be changed.
  • Login path. This path cannot and should not be changed.
  • Register users (i.e., auto-provisioning). This generally should be left unchecked. Auto-provisioning accounts will add any user who logs in via the federated login path as an "authenticated user," which, depending on your site permissions schema, may unintentionally open content to visitors, and at the very least, will make quarterly user review (see below) rather daunting.

Quarterly user review 

It is the site owner's responsibility to periodically review the users who have access to the site, and when necessary, remove or adjust the privileges of any users who should no longer have access to the site. This review should be performed at least once every 3 months. 

To begin this process, a user with the "Administer users" permission should navigate to the "People" page (/admin/people) from the admin menu, and review for their "Active" status as well as their currently authorized roles:

Screenshot of user admin page, highlight roles and active status

If a user no longer needs access to your site, we recommend both removing all of their roles, and disabling the account.

How to identify a user

The "People" page listing on UT QuickSites instances shows the users' UT EID and official UT email address. If you cannot recognize the identity of a user directly from the EID or email address, you can search for a user by EID in the UT Directory or the UT Community EID Listing (EID login required).

If a user does not show up in the UT Directory when searching by the UT EID, you should probably assume that this user is no longer affiliated with UT Austin, and block their account as a precautionary measure until their identity can be confirmed.

The UT Community EID Listing does include EIDs of users who are not actively affiliated with UT Austin, and can potentially provide more clues to a user's identity.

Blocking User Accounts and Removing Roles

First, click the "edit" button in the "Operations" column for the user you wish to disable:

Screenshot of user table with highlight of "edit" link

 

Next, change the user status setting from "Active" to "Blocked," and uncheck all roles:

Screenshot of user account, highlighting active status and roles

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

There are multiple click-paths that can be used to block a user or to completely delete the account.

Full account deletion is not necessary, and forces the site manager to make decisions about how to handle content that was authored by the user being deleted. We recommend blocking user accounts and removing all roles as the simplest solution for de-authorizing users who no longer should be able to access a site.

Other considerations

  

Thank You! Your feedback has been submitted.

Feedback