Enabling MyAccess sign-on

The UCSF MyAccess Settings Feature provides a mostly pre-configured route to enabling UCSF MyAccess as your site’s main sign-on mechanism. The Feature configures your site to use resources already installed on the Acquia hosting environment, automatically switches MyAccess “on” for production and “off” for stage and dev, and automatically converts any links to “user/login” to redirect to SimpleSAML and MyAccess when activated. SimpleSAML and SAML are tools we use to connect to MyAccess.

Although this is mostly pre-configured, it is important to review this documentation, as there are a couple manual steps to ensure you can access your site through MyAccess.

Send a request for SAML Activation

Open a ticket in the ITS TA Identity Management queue (go to help.ucsf.edu select "something isn't working right". The incident page will load, go to "Type of Help" and then select "MyAccess"

Provide the following information:

This is a request for SAML/MyAccess integration.

Depending on your Site you need to request the correct endpoint for your SAML integration.

If you are on a Site Builder website, your Metadata request is for:  acquia.sitefactory.ucsf.edu

For all other Document roots, UCSFp1, UCSF8, etc, Please add endpoint to the metadata for: it.ucsf.edu.

Note: It is unnecessary to list ‘dev’ or ‘stage’ sites as SimpleSAML only runs in production. Replace yoursite.ucsf.edu with the name of the site you want to use MyAccess!

You should be notified when SAML activation is complete. If you carry out the next steps carefully, you can still proceed while waiting.

Make a list of fallback Administrators

Note: All instructions from here on out should be carried out on whichever environment (dev, stage, production) is authoritative in terms of the DB and configuration.

Go to the user list in the Admin menu (Admin > People) and figure which users need “fallback” access (back-end access on dev and stage). Other users will have to have roles re-assigned once SAML is active in production.

Write a comma-separated list of the user IDs corresponding to the users who need fallback access. The list should always begin with user “1”. You can hover over a user’s “edit” link, or click their “edit” link and discern their User ID from the URL (/user/##).

Example list: 1,2,5,27,38 -- keep this somewhere convenient.

Note: Any list other than 1,2 may cause Features to report the UCSF MyAccess Settings Feature as "Overridden" -- this is OK.

Note: If the only admin accounts you are using are user “1” (the initial superuser, ucsf_admin on the Starter Kit) and 2, you could skip this step, but it’s still a good idea to check. 1,2 is the default list. -- If you don’t have access to one of the accounts listed either 1,2 or in your own list, you can lock yourself out.

Turn on the Features Module

UCSF Site Builder sites do not have the features module on by default. Here is how to turn it on.

If you go to (Admin > Structure) and don't see features, follow these steps.

  1. Click on Modules in the admin menu
  2. Type "features" in the Filter list
  3. Click on on off button so on appears
  4. Click the Save Configuration button on the bottom left.

That should do it, now you can active the single sign on feature

Activate the SAML Feature

We’ve prepackaged all the other settings, so instead of enabling individual modules, go to the Features interface (Admin > Structure > Features) and click on the side tab labeled “UCSF”.

Check the box next to UCSF MyAccess settings and then click Save Settings. If for some reason your site is not using Features, you’ll have to enable features first.

Finalize SAML Settings

Now go to the SimpleSAML PHP Auth module settings (Admin > Configuration > People > simpleSAMLphp authentication module settings) and paste your list into the field at the bottom of the page marked “Which users should be allowed to login with local accounts?” (if your list is more than '1,2'). Then click Save configuration.

Check that your account numbers took in the local accounts field. Then scroll to the top and check the box for Activate authentication via SimpleSAML.php then scroll to the bottom and click Save configuration.-- this will finalize the conversion to MyAccess login.

If you need to access the fallback account on a production site, you can do so by manually going to the user/login page (yoursite.ucsf.edu/user/login). SimpleSAML should work once ITS completes your request above.

Next steps

  • Add smart login/logout links to a Drupal 7 site
  • If you don't do login/logout links, the login path is /saml_login
  • Check your permissions! Anyone at UCSF will have automatically have the Authenticated User role.
  • Assign roles to new SAML-based users (like authors and editors). Have them login once via MyAccess and then they will show up like any other user in the user list (Admin > People) and can be assigned roles.
Tutorial Tags: 
Tutorial Difficulty: