SSO Connector

Introduction

SSO Connector provides a robust Single Sign-On foundation for Drupal using an Identity
Provider (IdP) / Service Provider (SP) architecture. It is designed for multi-site Drupal environments
where users authenticate once and access connected sites securely.

This project page describes the core module. Optional capabilities such as OAuth/OIDC, social
login, advanced synchronization, permissions orchestration, and related integrations are maintained as separate
submodules/projects.

Core Features

• IdP/SP Role Model: Configure each site as Identity Provider or Service Provider from one admin
  UI.
• End-to-End Browser SSO Flow: Dedicated endpoints for login start, return-path, token return,
  and logout.
• Secure Token Handling: Signed JWT tokens with encrypted payload transport and configurable
  expiration.
• Hardened Token Endpoint: Machine token endpoint with optional IP allowlist and dedicated API
  key support.
• No Shared Cross-Domain Cookie Dependency: SSO flow does not rely on bakery-style shared
  cookies.
• User Synchronization: Optional SP account auto-creation and controlled profile-field
  synchronization from IdP.
• Redirect Safety: Destination sanitization and stricter flow validation to reduce redirect abuse
  risks.
• Drupal 10/11 Ready: Service-based architecture with maintained test coverage.

Optional Bundle Modules

Install only what your topology needs. Core works standalone.

• SSO Connector OAuth: OpenID configuration,
  OAuth token endpoint, JWKS endpoint behavior.
• SSO Connector Sync: Signed inbound
  synchronization workflows and controlled field updates.
• SSO Connector Permissions:
  Signature-protected permission/role status and orchestration endpoints.
• SSO Connector Social: Social connect/callback
  integration layer.
• SSO Connector Autologout: Session timeout
  and coordinated logout helpers.
• SSO Connector Cookie: Cookie/session policy
  helpers for SSO scenarios.

If any project slug is different in Drupal.org, replace only the link target and keep the section structure.

Feature Scope (Core vs Extras)

• Core: IdP/SP roles, browser SSO flow, JWT token flow, base endpoint hardening, optional basic
  sync controls.
• OAuth module: OIDC/OAuth ecosystem endpoints and metadata publication.
• Sync module: Extended inbound data synchronization policies.
• Permissions module: Role and permission orchestration contracts.
• Social/Autologout/Cookie modules: Operational UX and platform behavior enhancements.

Requirements

• Drupal 10 or 11
• HTTPS enabled on IdP and all SP environments
• Shared JWT secret between IdP and all SP sites
• Clock synchronization across servers (NTP recommended)

Post-Installation

• Configuration Path: Administration > Configuration > System > SSO Connector
• IdP Site: Set role to IdP, define JWT secret, allowlist SP base URLs.
• SP Sites: Set role to SP, define IdP URL, use the same JWT secret.
• Security: Configure token API key, allowed IPs, and token expiration policy as needed.
• User Sync (Optional): Enable synchronization and allow only approved profile fields.

Security Notes

• Use strong secrets and rotate them periodically.
• Prefer short token lifetimes aligned with your risk profile.
• Enable API key and IP allowlist for machine endpoints when possible.
• Restrict redirect destinations to trusted internal paths.

Troubleshooting

• Repeated login prompts: Verify IdP/SP role values, shared secret parity, and callback flow
  integrity.
• Browser cookie warnings: Review SameSite, Secure, and domain policies in your environment.
• 401/403/503 on sync endpoints: Validate timestamp window, HMAC signature, and role-direction
  policy.

Supporting this Module

Contributions are welcome. Bug reports, patches, reviews, and documentation improvements help keep SSO Connector
stable and secure for the Drupal community.