Enabling MyAccess sign-on

Note: These instructions are only applicable for sites on UCSF’s Acquia-hosted Drupal 7 root and UCSF MyAccess Settings feature version 7.x-1.3 (version 7.x-1.2 may cause problems).

The UCSF MyAccess Settings Feature provides a mostly pre-configured route to enabling UCSF MyAccess as your site’s main sign-on mechanism.  The Feature configures your site to use resources already installed on the Acquia hosting environment, automatically switches MyAccess “on” for production and “off” for stage and dev, and automatically converts any links to “user/login” to redirect to SimpleSAML and MyAccess when activated.  SimpleSAML and SAML are tools we use to connect to MyAccess.

Although this is mostly pre-configured, it is important to review this documentation, as there are a couple manual steps to ensure you can access your site through MyAccess.

Send a request for SAML Activation

Open a ticket in the ITS TA Identity Management queue (go to help.ucsf.edu select "something isn't working right". The incident page will load, go to "Type of Help" and then select "myaccess" 

Provide the following information:

This is a request for SAML/MyAccess integration. Please add endpoints for yoursite.ucsf.edu to the it.ucsf.edu metadata.

Note: it is unnecessary to list ‘dev’ or ‘stage’ sites as SimpleSAML only runs in production. Replace yoursite.ucsf.edu with the name of the site you want to use myaccess!

You should be notified when SAML activation is complete.  If you carry out the next steps carefully, you can still proceed while waiting.

Make a list of fallback Administrators

Note: All instructions from here on out should be carried out on whichever environment (dev, stage, production) is authoritative in terms of the DB and configuration.

Go to the user list in the Admin menu (Admin > People) and figure which users need “fallback” access (back-end access on dev and stage).  Other users will have to have roles re-assigned once SAML is active in produciton.

Write a comma-separated list of the user IDs corresponding to the users who need fallback access. The list should always begin with user “1”. You can hover over a user’s “edit” link, or click their “edit” link and discern their User ID from the URL (/user/##).

Example list: 1,2,5,27,38 -- keep this somewhere convenient.

Note: Any list other than 1,2 may cause Features to report the UCSF MyAccess Settings Feature as "Overridden" -- this is OK.

Note: If the only admin accounts you are using are user “1” (the initial superuser, ucsf_admin on the Starter Kit) and 2, you could skip this step, but it’s still a good idea to check. 1,2 is the default list. -- If you don’t have access to one of the accounts listed either 1,2 or in your own list, you can lock yourself out.

Activate the SAML Feature

We’ve prepackaged all the other settings, so instead of enabling individual modules, go to the Features interface (Admin > Structure > Features) and click on the side tab labeled “UCSF”.

Check the box next to UCSF MyAccess settings and then click Save Settings.  If for some reason your site is not using Features, you’ll have to enable features first.

Finalize SAML Settings

Now go to the SimpleSAML PHP Auth module settings (Admin >  Configuration > People > simpleSAMLphp authentication module settings) and paste your list into the field at the bottom of the page marked “Which users should be allowed to login with local accounts?” (if your list is more than '1,2'). Then click Save configuration.

Check that your account numbers took in the local accounts field.  Then scroll to the top and check the box for Activate authentication via SimpleSAML.php then scroll to the bottom and click Save configuration.-- this will finalize the conversion to MyAccess login.

If you need to access the fallback account on a production site, you can do so by manually going to the user/login page (yoursite.ucsf.edu/user/login). SimpleSAML should work once ITS completes your request above.

Next steps

  • Add smart login/logout links to a Drupal 7 site
  • If you don't do login/logout links, the login path is /saml_login
  • Check your permissions! Anyone at UCSF will have automatically have the Authenticated User role.
  • Assign roles to new SAML-based users (like authors and editors).  Have them login once via MyAccess and then they will show up like any other user in the user list (Admin > People) and can be assigned roles.