Skip to main content

Drupal-to-Drupal SSO with OpenID Connect

Drupal

In this article, I will document how to enable logging into a Drupal site via the credentials on another Drupal site. There are a variety of standards out there that can enable Single Sign On: SAML, LDAP, OAuth2, OpenID Connect, etc. I chose OpenID Connect because this project had a separate, non-Drupal site that also needed to integrate with the SSO and that site supported OpenID Connect. It may also be helpful to note that the two Drupal sites I am enabling SSO for are actually the same Drupal install but use the Domain module to serve different content based on the domain name.

Server

For the server side of the equation, I chose to use Simple OAuth (OAuth2) & OpenID Connect (https://www.drupal.org/project/simple_oauth). This module implements the OAuth 2.0 Server from The League of Extraordinary Packages, great standard PHP library for Oauth2. At the time of this writing (January 2025), I chose the latest 6.x version even though the module page recommends the 5.x branch. I initially installed 5.x but quickly discovered it was missing several necessary features and wasn’t receiving many updates. 

Install the module as directed. The two important parts to configure properly are the public/private keys and the client (consumer). Follow the module’s installation instructions for the keys. For the consumer, you can use the default consumer. We’ll use the authorization code grant type. Since we’re serving up connections to other sites we own, we can configure the server to simplify the process.

  • Edit the consumer at "/admin/config/services/consumer/1/edit"
  • In the Authorization Code settings use these settings:
    • Automatic authorization, yes
    • Remember previous approval, yes
    • Use PKCE?, no
Simple Oauth authorization code settings
  • For redirect URIs, Add an entry for each client domain plus "/openid-connect/generic"
  • At the end of the form, use these values:
    • Is this consumer 3rd party?, no
    • Is Confidential?, yes
Simple Oauth config screenshot

Client

For the client, install OpenID Connect / OAuth client  (https://www.drupal.org/project/openid_connect) version 3.0.0-alpha5 or later.

  • Visit "/admin/config/people/openid-connect" and add a Generic OAuth2.0.
  • Enter the Client ID and secret matching the consumer from the Simple Oauth server you set up.
  • Leave Auto discover endpoints off.
  • Authorization endpoint: Server domain + “/oauth/authorize”
  • Token endpoint: Server domain + “/oauth/token”
  • UserInfo endpoint: Server domain + “/oauth/userinfo”
  • Scopes: openid email

In the Advanced section of the OpenID Connect Settings, set Automatically connect existing users to true. Since we control both the server and client sites, it is safe to connect existing users by email.

OpenID Connect screenshot

While on the OpenID Connect Settings, you can control other settings for user experience on client sites, including how values are synced across sites. You can also configure the UI of the login form, now that you have SSO. The login form can be replaced entirely, or the SSO buttons can be displayed above or below. Finally, there is experimental support for mapping OpenID Connect groups to Drupal roles.

Need a fresh perspective on a tough project?

Let’s talk about how RDG can help.

Contact Us