SimpleSAMLphp: how to set up Drupal to authenticate against Microsoft ADFS


Before we start to talk about this topic, think about using LDAP. If you can't convince your boss or client to use LDAP, unfortunately, you may have to go with ADFS, which is a bitter and unpleasant process. 

ADFS: it is a service that Active Directory server provides to allow remote user to authenticate in AD server. You can find a better explanation in here. It will come to you when your client/boss refuse to open their LDAP port to your web server. 


  • Access to your web server and write permission to the web root.
  • Your ADFS is configured and ready to use. (This means you have the ADFS url ready. Something like this:
  • You have the signed certificate file from ADFS.
  • You have a friendly Wintel guy who knows what is he doing. !important

First of all, you need to install SimpleSAMLphp library in your web server. A really good document I found about using SimpleSAMLphp in Acquia helped me a lot. Following this article, you will have SimpleSAMLphp library installed in your web root and simplesamlphp_auth module installed in your Drupal site. In this stage, you should be able to visit the simplesample UI from http://yoursite/simplesaml. 

However, the Acquia document did not mention the details about how to configure the SimpleSAMLphp against your ADFS. It only put a link of SimpleSAMLphp document page and assumed you can figure it out easily. You don't have to read the whole document, the only part that can help you is the idp part, as you want to set your web server as an Service Provider (SP). 

Set /simplesamlphp/config/authsources.php up like below:

$config = array(
  'admin' => array(
    'core:AdminPassword', ----the admin password for SimpleSAMLPhp
  'default-sp' => array(
    'entityID' =>'urn:drupal:adfs-test', ---- this should match the entity name in your ADFS server, provided by your Wintel sysadmin.
    'idp' => 'http://{ADFS IP}/adfs/services/trust', ---- Confirm this address with you Wintel sysadmin.
    'privatekey' => 'saml.pem', ---- Your key from Wintel sysadmin.
    'certificate' => 'saml.crt', ---- Your certificate from Wintel sysadmin.
    'NameIDPolicy' => NULL,

When you have the authsources.php set up,

  • Download the xml file from your ADFS url. 
  • Visit http://yoursite/simplesaml and click the Federation tab.
  • Click 'XML to simpleSAMLphp metadata converter'.
  • Paste the XML file in to the text area and click Parse.
  • You should have converted metadata: shib13-sp-remote and saml20-sp-remote.
  • ​Copy the content in saml20-sp-remote.
  • ​Replace the content between the php tags in /simplesamlphp/metadata/saml20-idp-remote.php with the content you copied.
  • Under ‘entityid’ line, add following line: ‘sign.logout’ => TRUE,.
  • Save the file.
  • Go back to the federation tab and download the SAML 2.0 sp metadata.
  • Send it to your Wintel sysadmin before he starts to ask. You may need to convert it to xml file for him.

Enable SimpleSAMLphp authentication on your Drupal module configuration page. 

You should be able to select 'Federated Log In' when you log in to Drupal. The link will redirect you to the ADFS server login page. After many clicks, you will get redirected back to Drupal as authenticated user. 

Note: There is no way to make the login process seamless, as you are jumping between servers. The best you can do is to edit the ADFS login html file to make it looks like your login page (no comment). Plus, you may not have the access to the HTML file :( 

My final suggestion: Do NOT use it. :)

OK, this is updated 10 months later: 

I made it work again with huge help with my friend. (I NEVER thought I would have to do it again or make it work again?)

Things people need to be careful:

  • Make sure your authsources.php IDP url is exactly same as the $metadata array key value in your saml20-sp-remote.
  • Always check the simplesamlphp log when you feel like suicide, that can save your life.
  • Drupal simplesaml module will NOT syc the existing user account with the AD user account. So you either manually add the user details to the authmap table or remove the existing user account and let simplesaml to register it.

Good luck and hope you don't need to have a look at this, again.