EID authentication considerations for Drupal on Pantheon
PLEASE NOTE: Pantheon does not support restriction of content based on EID's, roles, or affiliations.
There are two modules included in the Drupal distribution that are required for EID authentication on Pantheon-hosted Drupal sites:
- SimpleSAMLphp Authentication
- UTexas SAML Authentication Helper
Please leave these modules enabled, as disabling them may cause EID authentication to work incorrectly or not at all. The codebase also includes the SimpleSAMLphp library in the document root's /private directory. This should not be removed.
Finally, UTLogin integration must be requested, which ITS will assist with. To request this, please email the CMS Hosting Platform team at firstname.lastname@example.org.
Module Options and Configuration
Navigate to Configuration > SimpleSAML php Auth Settings (/admin/config/people/simplesamlphp_auth). The available configuration options are below, with notes:
- Activate authentication via SimpleSAMLphp. Leave this checked.
- Installation directory. This is Pantheon environment specific and cannot be changed.
- Authenticaton source for this SP. This is Pantheon environment specific and cannot be changed.
- Federated Log In Link Display Name. This text is displayed on /user as a link to the UTLogin URL callback and may be changed.
- Login path. This path cannot and should not be changed.
- Register users (i.e., auto-provisioning). This generally should be left unchecked. Auto-provisioning accounts will add any user who logs in via the federated login path as an "authenticated user," which, depending on your site permissions schema, may unintentionally open content to visitors, and at the very least, will make quarterly user review (see below) rather daunting.
Quarterly user review
It is the site owner's responsibility to periodically review the users who have access to the site, and when necessary, remove or adjust the privileges of any users who should no longer have access to the site. This review should be performed at least once every 3 months.
To begin this process, a user with the "Administer users" permission should navigate to the "People" page (/admin/people) from the admin menu, and review for their "Active" status as well as their currently authorized roles:
If a user no longer needs access to your site, we recommend both removing all of their roles, and disabling the account.
The "People" page listing on UT QuickSites instances shows the users' UT EID and official UT email address. If you cannot recognize the identity of a user directly from the EID or email address, you can search for a user by EID in the UT Directory or the UT Community EID Listing (EID login required).
If a user does not show up in the UT Directory when searching by the UT EID, you should probably assume that this user is no longer affiliated with UT Austin, and block their account as a precautionary measure until their identity can be confirmed.
The UT Community EID Listing does include EIDs of users who are not actively affiliated with UT Austin, and can potentially provide more clues to a user's identity.
Blocking User Accounts and Removing Roles
First, click the "edit" button in the "Operations" column for the user you wish to disable:
Next, change the user status setting from "Active" to "Blocked," and uncheck all roles:
There are multiple click-paths that can be used to block a user or to completely delete the account.
Full account deletion is not necessary, and forces the site manager to make decisions about how to handle content that was authored by the user being deleted. We recommend blocking user accounts and removing all roles as the simplest solution for de-authorizing users who no longer should be able to access a site.