SSO Integration With Microsoft AD FS 2.0 and Drupal

The MyCareer@VA is a web portal sponsored by VA Learning University (VALU).  This web portal allows VA and non-VA employees to explore and develop career paths within VA.  In 2014 the web portal went through a major redesign.  To enhance the user experience, the MyCareer@VA team expanded the web portal functionalities to allow the users to create/save a personal profile as they use the various tools on the web portal to develop their career plans.  The expanded functionality included the Single Sign-On (SSO) capability and the migration of a major part of the web portal from SharePoint 2010 to Drupal CMS.  The final architected solution for the MyCareer@VA web portal consists of an integrated platform that includes Drupal running on Linux Servers, Microsoft Internet Information Server (IIS), and Active Directory Federation Services 2.0.   

In order to accomplish the initial objectives of the expanded User Account, a security framework is needed for the MyCareer@VA to provide the user with the capability to create/store user profile and perform SSO with other business partners.  The security framework must have a repeatable methodology where future business partners can share data with MyCareer@VA with a SSO interface and allow MyCareer@VA to establish itself as the Identity Provider (IP). 

The overall design goal of the SSO solution for the MyCareer@VA web portal is to externalize the authentication logic.  What this entails is providing a common authentication system where any trusted Relying Party (RP) can submit a request to the system to authenticate the user.  The objective of this design is to remove most or all of the identity management logic from the RPs, leaving the application developer free to focus on the business logic and removing the need to impose everybody to become a security expert.  The externalization of the identity management logic is made possible by the use of standard protocols (e.g. SAML 2.0, WS-Federation), which can describe the details of the identity transactions regardless of the platforms or technologies involved.

The MyCareer@VA SSO solution consists of the implementation of an ADFS 2.0 server and a custom Security Token Service (STS).  The ADFS 2.0 server acts as a Federation Gateway and communicates directly with the STS using the WS-Federation protocol.  The Federation Gateway accepts WS-Federation and SAML 2.0 authentication requests.  The Drupal CMS, acting as an RP, communicates with the Federation Gateway using SAML 2.0.  When a user wants to access a secured resource hosted on the Drupal CMS, the Drupal CMS submits a SAML authentication request to the Federation Gateway.  The Federation Gateway validates the SAML request and redirects the user to the STS for authentication.  If the user is successfully authenticated, a SAML authentication response is returned to the Drupal CMS.  The Drupal CMS validates the SAML response by verifying the digital signature.  If the response is valid, the Drupal CMS will determine the user’s authorization level based on the user’s claims in the SAML response.