Today I'm going to review the features and functionality of the WebAuth Extras module. It extends the venerable WebAuth Module for Drupal (WMD), which offers single-sign on (SSO) capability for Drupal sites at Stanford.
There are two user interfaces for WebAuth Extras: the web GUI, and drush.
What You Can Do
The primary functionality that WebAuth Extras provides through the web GUI is the ability to add a new WebAuth user.
What does this mean, and why would you want to do it?
WMD offers the ability for users to log into any Drupal site with their SUNetID and password. When the user logs in the first time, a unique user account is created for them, and they are automatically given the role of "SUNet User". Additionally, users may be assigned additional roles based on affiliation:
If you want to assign additional roles to a user, you either need to use workgroup mapping, or the user needs to have logged in to your Drupal site at least once.
Adding a new WebAuth user via WebAuth Extras allows you to bypass the awkward step where you have to burden a user with logging into the site before you assign them a role ("Hi (Senior Faculty Member), this is (lowly Drupal administrator). Can I get you to go to <url> and click the 'SUNetID login' link in the top right corner? No, you won't see anything yet, I haven't configured your permissions.").
How to Do It
- Enable the WebAuth Extras module if it is not already enabled
- Go to admin/config/webauth/adduser
- Fill in the form:
- SUNetID: The users' SUNetID. This is the only required field; if you do not fill out the rest of the fields, Name and Email Address will be populated from LDAP.
- Name: Fill this out if you want to override what's in LDAP. (Search the user in StanfordYou if you want to find out their name.)
- Email Address: Likewise, fill this out if you want to override what's in LDAP.
- Make This User an Administrator: Does just what it says on the tin.
WebAuth Extras provides three drush commands:
- drush webauth-add-user
- drush webauth-map-role
- drush webauth-write-htaccess
Add a new WebAuth user
sunetid The SUNetID of the user
--email=<<a href="mailto:email@example.com">firstname.lastname@example.org</a>> The user's email address
--make-admin Make the user an admin
--name=<Leland Stanford> The user's name
Map a workgroup to a Drupal role
drush wamr stanford:staff administrator Maps the "stanford:staff" workgroup to the Drupal "administrator" role
workgroup The workgroup you would like to map
role The Drupal role you would like to map to
Write the WebAuth .htaccess file to disk. Performs the same function as saving the configuration through the GUI.
webauth-map-role should be self-explanatory.
webauth-write-htaccess is a utility command that you can use when you suspect that something has happened to the .htaccess file governing WebAuth restrictions (e.g., you lose workgroup role mappings).