Skip to content Skip to navigation

Module of the Day: WebAuth Extras

Today I'm going to review the features and functionality of the WebAuth Extras module. It extends the venerable WebAuth Module for Drupal (WMD), which offers single-sign on (SSO) capability for Drupal sites at Stanford.

There are two user interfaces for WebAuth Extras: the web GUI, and drush.


What You Can Do

The primary functionality that WebAuth Extras provides through the web GUI is the ability to add a new WebAuth user.

What does this mean, and why would you want to do it?

WMD offers the ability for users to log into any Drupal site with their SUNetID and password. When the user logs in the first time, a unique user account is created for them, and they are automatically given the role of "SUNet User". Additionally, users may be assigned additional roles based on affiliation:

Affiliation Workgroup Drupal Role
Student stanford:student Stanford Student
Faculty stanford:faculty Stanford Faculty
Staff stanford:staff Stanford Staff

If you want to assign additional roles to a user, you either need to use workgroup mapping, or the user needs to have logged in to your Drupal site at least once.

Adding a new WebAuth user via WebAuth Extras allows you to bypass the awkward step where you have to burden a user with logging into the site before you assign them a role ("Hi (Senior Faculty Member), this is (lowly Drupal administrator). Can I get you to go to <url> and click the 'SUNetID login' link in the top right corner? No, you won't see anything yet, I haven't configured your permissions.").

How to Do It

  1. Enable the WebAuth Extras module if it is not already enabled
  2. Go to admin/config/webauth/adduser
  3. Fill in the form:
    1. SUNetID: The users' SUNetID. This is the only required field; if you do not fill out the rest of the fields, Name and Email Address will be populated from LDAP.
    2. Name: Fill this out if you want to override what's in LDAP. (Search the user in StanfordYou if you want to find out their name.)
    3. Email Address: Likewise, fill this out if you want to override what's in LDAP.
    4. Make This User an Administrator: Does just what it says on the tin.


WebAuth Extras provides three drush commands:

  • drush webauth-add-user
  • drush webauth-map-role
  • drush webauth-write-htaccess

% drush help webauth-add-user
Add a new WebAuth user

 sunetid                                   The SUNetID of the user

 --email=<<a href=""></a>>    The user's email address
 --make-admin                              Make the user an admin  
 --name=<Leland Stanford>                  The user's name

Aliases: waau

% drush help webauth-map-role
Map a workgroup to a Drupal role

 drush wamr stanford:staff administrator   Maps the "stanford:staff" workgroup to the Drupal "administrator" role

 workgroup                                 The workgroup you would like to map      
 role                                      The Drupal role you would like to map to

Aliases: wamr

% drush help webauth-write-htaccess
Write the WebAuth .htaccess file to disk. Performs the same function as saving the configuration through the GUI.

Aliases: wawh

webauth-add-user and webauth-map-role should be self-explanatory. webauth-write-htaccess is a utility command that you can use when you suspect that something has happened to the .htaccess file governing WebAuth restrictions (e.g., you lose workgroup role mappings).