Drupal, Internet

How to Install Janrain Federate on Drupal 6.x

I’m in the middle of doing an installation of Janrain Federate on our Drupal 6.25 installation. Janrain Federate is a single sign on solution for Web servers. This is an enterprise solution so it means your nonprofit should be ready to deal with what it means to personalize the Web experience for your users.

There seems to be very little discussion on how to do this on Drupal. You need to have some intermediate Drupal skills to do it. Basically, you will need to understand how your themes, custom modules and template.php interact to emit Javascript and HTTP headers.

You’ll have to follow the steps below on multiple Drupal servers. After you’re done, you should be able to login once on a Drupal server and automatically be logged into all the other servers that you installed this Janrain Federate on. It’s very cool. It doesn’t even matter which browser you’re using. If you log in on IE in one instance, you’re automatically logged in on all the other ones (assuming that you have logged in with the same username/password combination and/or social signon on those other instances previously).

The following directions are for Drupal 6.x installations.

1. Install Janrain Engage module: http://drupal.org/project/rpx. The 6.x-2.x-dev release dated¬†2012-Oct-25 is probably your best bet for now. There was a recent change in the Drupal API that made earlier versions stop working. Thank me now — I have just saved you several days of phone calls with Janrain. You’ll also have to work with Janrain on setting up a Janrain Engage, Capture and Federate account for yourself.

2. Depending on your theme, you need to make a call to a Javascript hosted on Janrain. It looks like this:

<script src="https://[your ID here].janrainsso.com/sso.js"></script>

Referencing external Javascript in Drupal is a bit annoying. Suffice it to say you can either hardcode this in your header (which I do when I’m still testing code out) or do it the “right way” and do it in your template.php file. See http://drupal.org/node/171205#comment-879179 for a good discussion of this issue.

3. Janrain needs you to run some Javascript. The code at Janrain looks like this:

<script src="https://example.janrainsso.com/sso.js" type="text/javascript"></script>
<script type="text/javascript">
JANRAIN.SSO.CAPTURE.check_login({
sso_server: 'https://example.janrainsso.com',
client_id: '123abcxyz42',
redirect_uri: 'http://example.com/oauth_redirect',
logout_uri: 'http://example.com/logout.php',
xd_receiver: 'http://example.com/xdcomm.html'
});
</script>

I had to modify it with the help of Janrain because we use multiple development environments (dev, staging and prod). This means the code had to be domain-independent.

JANRAIN.SSO.ENGAGE.check_login ({
sso_server: 'https://[your ID here].janrainsso.com',
logout_uri: '',
xd_receiver: 'http://' + location.hostname + '/xd-receiver',
token_uri: 'http://' + location.hostname + '/rpx/token_handler'
});

Because you’re using the the Janrain Engage module, you don’t need to pass a client_id. The Engage module will already have inserted it into the Janrain.SSO.ENGAGE namespace.

I saved the Javascript into a file called janrain.js. I then changed the .info file for my theme and wrote this line in the scripts section. Your theme’s info file is probably at: sites\all\themes\[theme name]:

scripts[] = js/janrain.js

I believe it’s better off being the first script you list in your info file but you may have to move this around to make sure it doesn’t interfere with other Javascript you’re running on your site. It shouldn’t as the JANRAIN.SSO.ENGAGE namespace is fairly unique.

4.Create a new page called XD receiver, stick this into the Body:

<script src="https://autismspeaks.janrainsso.com/static/xd_receiver.js" type="text/javascript"></script>

Yes, I know it’s in the body but it doesn’t matter where this is. Give it a friendly URL that will end in “/xd-receiver”. I guess theoretically you could rewrite your template.php to emit this reference when only that URL is presented or better yet, put it into a custom module for your theme but for the sake of my sanity, let’s just put it on a page. If you really want to clean this up, again check out http://drupal.org/node/171205#comment-879179 for more information.

5. The final step is to change your privacy policy in order for Internet Explorer to respect the cross-domain nature of the SSO protocol you’re using with Janrain. In order to make this work with Internet Explorer, Drupal has to emit a specific HTTP header. For the Web site I work on, autismspeaks.org, that’s handled in a custom module that’s been written to handle this sort of thing. It’s probably the best way to deal with it. Here’s how it looks:

function [your custom module name]_set_page_headers(){
drupal_set_header("P3P:CP: IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT");
}

Once the module has that function in it, you have to call the function from template.php. It looks like this:

function autismspeaks_preprocess_node(&$vars) {
[your custom module name]_set_page_headers();
}

The header itself WILL require you to change your site’s privacy policy. It’s a shorthand for other privacy policies that you need to implement as an organization. In other words, this isn’t JUST a coder issue, you will have to discuss this issue with business people. I took the time to unpack what it means to put up the HTTP header put up by that P3P header. The information can be found at:¬†http://www.p3pwriter.com/lrn_111.asp

IDC
Identifiable Contact Information: access is given to identified online and physical contact information (e.g., users can access things such as a postal address)

DSP
The privacy policy contains DISPUTES elements.

COR
Errors or wrongful actions arising in connection with the privacy policy will be remedied by the service.

ADM
Information may be used for the technical support of the Web site and its computer system. Users cannot opt-in or opt-out of this usage (same as tag ADMa).

DEVi
Information may be used to enhance, evaluate, or otherwise review the site, service, product, or market. Opt-in means prior consent must be provided by users.

TAIi
Information may be used to tailor or modify content or design of the site where the information is used only for a single visit to the site and not used for any kind of future customization. Opt-in means prior consent must be provided by users.

PSA
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals for purpose of research, analysis and reporting, but it will not be used to attempt to identify specific individuals. Users cannot opt-in or opt-out of this usage (same as tag PSAa).

PSD
Information may be used to create or build a record of a particular individual or computer that is tied to a pseudonymous identifier, without tying identified data (such as name, address, phone number, or email address) to the record. This profile will be used to determine the habits, interests, or other characteristics of individuals to make a decision that directly affects that individual, but it will not be used to attempt to identify specific individuals. Users cannot opt-in or opt-out of this usage (same as tag PSDa).

IVAi
Information may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data for the purpose of research, analysis and reporting. Opt-in means prior consent must be provided by users.

IVDi
Information may be used to determine the habits, interests, or other characteristics of individuals and combine it with identified data to make a decision that directly affects that individual. Opt-in means prior consent must be provided by users.

CONi
Information may be used to contact the individual, through a communications channel other than voice telephone, for the promotion of a product or service. This includes notifying visitors about updates to the Web site. Opt-in means prior consent must be provided by users.

HIS
Information may be archived or stored for the purpose of preserving social history as governed by an existing law or policy. Users cannot opt-in or opt-out of this usage (same as tag HISa).

OUR
Ourselves and/or entities acting as our agents or entities for whom we are acting as an agent.

IND
Information is retained for an indeterminate period of time. The absence of a retention policy would be reflected under this option. Where the recipient is a public fora, this is the appropriate retention policy.

CNT
The words and expressions contained in the body of a communication — such as the text of email, bulletin board postings, or chat room communications.

Still around? Make sure your business owners understand that the P3P header does require you to have real human-readable policies that match with the HTTP header your site is now emitting. Well, believe it or not that’s the end of this tutorial. Feel free to ask questions in the comments below.

How relevant was this post to you?
Why did you post this???I do not think this was necessary.Not bad. I will save for later.I really needed to read this!This bit of knowledge will make me look good. (No Ratings Yet)
Loading ... Loading ...

3 Comments

speak up

Add your comment below, or trackback from your own site.

Subscribe to these comments.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

*Required Fields