EID authentication considerations for Drupal on Pantheon
IMPORTANT: Pantheon and the UT Drupal Kit do not natively support restriction of content based on EID's, roles, or affiliations. For more information about how to implement content restrictions based on EID, please contact the UT Drupal Kit team at firstname.lastname@example.org
Use of the UT Drupal Kit is NOT required for EID authentication in Drupal 9. EID authentication for sites using Drupal 9 can be implemented by adding the
pantheon_saml_integration Composer package.
For detailed installation and setup instructions, see https://drupalkit.its.utexas.edu/docs/getting_started/pantheon_setup.html#integrating-enterprise-authentication.
The official end-of-life for Drupal 7 is scheduled for November 2023. New sites should NOT be created with Drupal 7 or the Drupal 7 version of the UT Drupal Kit. See Drupal 7 end-of-life and the UT Drupal Kit for more information.
The modules, libraries, and configuration files required for EID authentication on for sites using Drupal 7 on Pantheon are only available through the UT Drupal Kit custom upstream. UT EID authentication is NOT available for Drupal 7 sites which do not use the UT Drupal Kit.
Requesting Enterprise Authentication Integration (all versions)
To start using UT EID authentication, the site owner must request that the site be added to the Enterprise Authentication integration for Pantheon. To request this, please open a ticket by emailing email@example.com and providing the name of the site dashboard. Typical turnaround time for Enterprise Authentication integration is 2-3 business days.
Required Modules (all versions)
There are two modules available via the UT Drupal Kit distribution that are required for EID authentication on Pantheon-hosted Drupal sites:
- SimpleSAMLphp Authentication
- UTexas SAML Authentication Helper
These modules should remain enabled, as disabling them may cause EID authentication to work incorrectly or not at all. Configuration also requires the SimpleSAMLphp library which will be located in the document root's
/private directory. This should not be removed.
Module Options and Configuration (all versions)
Navigate to Configuration > SimpleSAML php Auth Settings (/admin/config/people/simplesamlphp_auth). The available configuration options are below, with notes:
- Activate authentication via SimpleSAMLphp. Leave this checked.
- Installation directory. This is Pantheon environment specific and cannot be changed.
- Authenticaton source for this SP. This is Pantheon environment specific and cannot be changed.
- Federated Log In Link Display Name. This text is displayed on /user as a link to the UTLogin URL callback and may be changed.
- Login path. This path cannot and should not be changed.
- Register users (i.e., auto-provisioning). This generally should be left unchecked. Auto-provisioning accounts will add any user who logs in via the federated login path as an "authenticated user," which, depending on your site permissions schema, may unintentionally open content to visitors, and at the very least, will make quarterly user review (see below) rather daunting.
Quarterly user review (all versions)
It is the site owner's responsibility to periodically review the users who have access to the site, and when necessary, remove or adjust the privileges of any users who should no longer have access to the site. This review should be performed at least once every 3 months.
To begin this process, a user with the "Administer users" permission should navigate to the "People" page (/admin/people) from the admin menu, and review for their "Active" status as well as their currently authorized roles:
If a user no longer needs access to your site, we recommend both removing all of their roles, and disabling the account.
The "People" page listing on UT QuickSites instances shows the users' UT EID and official UT email address. If you cannot recognize the identity of a user directly from the EID or email address, you can search for a user by EID in the UT Directory or the UT Community EID Listing (EID login required).
If a user does not show up in the UT Directory when searching by the UT EID, you should probably assume that this user is no longer affiliated with UT Austin, and block their account as a precautionary measure until their identity can be confirmed.
The UT Community EID Listing does include EIDs of users who are not actively affiliated with UT Austin, and can potentially provide more clues to a user's identity.
Blocking User Accounts and Removing Roles
First, click the "edit" button in the "Operations" column for the user you wish to disable:
Next, change the user status setting from "Active" to "Blocked," and uncheck all roles:
There are multiple click-paths that can be used to block a user or to completely delete the account.
Full account deletion is not necessary, and forces the site manager to make decisions about how to handle content that was authored by the user being deleted. We recommend blocking user accounts and removing all roles as the simplest solution for de-authorizing users who no longer should be able to access a site.