Drupal, SimpleSAMLphp, and BLT

3 min readOct 20, 2023

The Acquia BLT plugin for SimpleSAMLphp was archived in April 2023. Acquia began to recommend the SAML Authentication module instead of the simpleSAMLphp Authentication module. I believe this was largely due to the underlying library of SimpleSAMLphp not being compatible with Symfony 6. Since Drupal 10 is based on Symfony 6, it looked like there was not a path forward for Drupal 10 users.

Recently, the SimpleSAMLphp library tagged the first release candidate that supports Symfony 6. With a long thread in the issue queue for the library and for the module. After the library had an actual tag, the module maintainers were able to tag a release candidate also. If you’re interested in the issue threads, check out the library issue and the module issue discussing this process.

So now you have two choices. You can switch modules or you can incorporate the old BLT plugin into your code base to use the SimpleSAMLphp module. For me, doing the later was going to be easier because it means that I do not have to have our identity server administrators to make any changes.

Incorporate the plugin into your code base:

Step 1: Copy the Plugin File

Copy the SimpleSamlPhpCommand.php file from vendor/acquia/blt-simplesamlphp/src/Blt/Plugin/Commands/ to your BLT project's root directory, specifically under blt/src/Blt/Plugin/Commands/ and make sure that the executable bit is enabled.

Step 2: Adjust Namespace

Modify the namespace of the SimpleSamlPhpCommand class to match the namespace of your BLT commands. Ensure your Composer is configured for PSR-4 autoloading. For more details, refer to BLT Extending Documentation.

Step 3: Update Variable Names

Remove the protected $pluginRoot variable at the beginning of the class and within the initialize function. Replace instances of pluginRoot with repoRoot.

Step 4: Update Symlink

The previous library version had the web accessible directory at your vendor/simplesamlphp/simplesamlphp/www but this has changed to vendor/simplesamlphp/simplesamlphp/public. This web accessible directory needs to be symlinked to your docroot/simplesaml. You can manually update the symlink and you can also update the symlinkDocrootToLibDir method in the SimpleSamlPhpCommand file. In you change the command file, you will need to rerun the blt command recipes:simplesamlphp:init.

Step 5: Include settings

The BLT plugin included a settings file that the settings file included when it was present. These settings need to be included in your settings file for all environments that will require SAML authentication.

  if (is_dir(DRUPAL_ROOT . '/../simplesamlphp') &&
    is_dir(DRUPAL_ROOT . '/../vendor/simplesamlphp/simplesamlphp')) {
    $settings['simplesamlphp_dir'] = DRUPAL_ROOT . '/../vendor/simplesamlphp/simplesamlphp';
  }
  // Force server port to 443 with HTTPS environments when behind a load
  // balancer which is a requirement for SimpleSAML with ADFS when providing a
  // redirect path.
  // @see https://github.com/simplesamlphp/simplesamlphp/issues/450
  if (array_key_exists('HTTPS', $_SERVER) && $_SERVER['HTTPS'] === 'on') {
    $_SERVER['SERVER_PORT'] = 443;
  }

Step 6: Ensure Code Standards

Ensure the code complies with the current PHP Coding Standards (phpcs). Make necessary updates to meet the current standards.

Step 7: Copy Additional Scripts

Copy the entire vendor/acquia/blt-simplesamlphp/scripts directory to the root of your BLT repository.

After completing these steps, your BLT SimpleSamlPhp plugin should be successfully replaced. Don’t forget to thoroughly test your application to ensure everything is functioning as expected after these modifications.