Single Sign-On (SSO) is a crucial part of modern web applications, enabling users to authenticate once and access multiple systems securely. If your organization uses Salesforce as an Identity Provider (IdP) and Drupal as a Service Provider (SP), you can establish a secure SSO connection using the SAML protocol.
In this blog, we’ll walk through how to integrate Drupal with Salesforce for SSO using the SAML Authentication module. We’ll also explore how to dynamically sync user data—like first name, last name, company, and roles—from Salesforce into Drupal during login.
Prerequisites
Before starting, ensure you have the following:
- A working Drupal 9 or 10 site.
- Access to the Salesforce admin console.
- The SAML Authentication module installed in Drupal.
- SSL enabled on your Drupal site (SAML requires HTTPS).
Step 1: Install the SAML Authentication Module in Drupal
You can install the module via Composer:
composer require drupal/saml_auth
Then enable it using Drush or through the Drupal admin interface:
drush en saml_auth
Dependencies (like simplesamlphp) may need to be managed manually or via the simplesamlphp_auth module if you prefer a different approach.
Step 2: Configure Salesforce as an Identity Provider (IdP)
- Log in to Salesforce, and go to: Setup → Apps → App Manager → New Connected App
- Fill in the basic details, then under Web App Settings:
- Enable SAML.
- Entity ID: Use your Drupal site’s SP Entity ID (e.g., https://example.com/saml/metadata)
- ACS URL: https://example.com/saml/acs
- Subject Type: Usually Email or Username.
- Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- Add custom attributes:
- FirstName
- LastName
- Company
- Roles
- Download the IdP metadata or note:
- IdP SSO URL
- IdP Entity ID
- X.509 certificate
Step 3: Configure the SAML Authentication Module in Drupal
Navigate to: Admin → Configuration → People → SAML Authentication Settings (/admin/config/people/saml)
Fill in the settings:
- IdP Entity ID and SSO URL: From Salesforce.
- X.509 Certificate: Paste the public cert here.
- SP Entity ID: Can be your site URL or a custom value.
- ACS URL: Must match what you provided to Salesforce.
- NameID format: Match Salesforce (usually emailAddress).
- User match field: Set to mail.
Step 4: Dynamic User Synchronization
By default, SAML Authentication handles user login and account creation, but we extended this with custom logic to map additional attributes from Salesforce into the Drupal user profile.
Salesforce sends additional user information in the SAML assertion, including:
- First name
- Last name
- Company
- Roles
We’ve extended the default SAML authentication behavior with a custom hook or event subscriber to:
- Create new users in Drupal using the email as the unique identifier.
- Populate additional profile fields like first name, last name, and company.
- Assign user roles dynamically based on the roles attribute from Salesforce.
This ensures that user accounts are fully provisioned and kept up-to-date every time a user logs in through SSO.
Step 5: Test the SSO Flow
- Log out of your Drupal site.
- Navigate to /saml/login.
- You’ll be redirected to Salesforce to authenticate.
- After login, you’ll be redirected back to Drupal and logged in automatically with synced user details.
Check that:
- A new Drupal user is created if it doesn’t exist.
- First name, last name, and company fields are populated.
- Roles are assigned correctly.
If there’s an error, enable debugging logs and inspect the SAML response and assertion for mismatches.
Conclusion
Integrating Salesforce with Drupal using the SAML Authentication module enables a seamless and secure SSO experience. This is particularly useful for organizations using Salesforce as a central identity system. With proper configuration, users can enjoy frictionless access to your Drupal site while benefiting from Salesforce’s authentication infrastructure.
