Drupal AssociationDrupal.org is the home of the Drupal community, and in its 20 year history Drupal.org has managed to coordinate and centralize the efforts of our contributors. As we look to recruit the next generation of contributors who will become project leaders in the next decade, we want to reduce the barriers to joining the community, and extend the reach of a user's Drupal identity.

As such, the Drupal Association is undertaking a new project to both allow account creation and authentication to Drupal.org using common existing accounts that new contributors may already have, and allow federation of the Drupal.org identity, so third party community services like DrupalCamp sites or chat services can allow users to log in with their Drupal identity.

Successful completion of this project will allow new contributors to Drupal to join the community in a single click(or as close as possible with Terms acceptance, etc), and will allow existing Drupal.org users to join community-built services with their existing Drupal.org identity. 

Scope

Project scope should include Discovery, Project Management, Development, Security Review, and Quality Assurance for the following key features:

  1. Migration of existing Drupal.org user identity management and federation between Drupal subsites with an industry standard identity solution, e.g: SAML + OAuth
  2. Replacement or update of the 'Bakery' module for managing login state and synchronizing user profile data across sub-sites of Drupal.org.
  3. Allow Drupal.org account creation and/or login using an existing identity provider, with all appropriate disclaimers about data sharing to comply with global regulation: 
    1. Required identity providers:
      1. GitHub.com
      2. GitLab.com
    2. Optional identity providers

      1. Atlassian ID
      2. Google ID
  4. Integrate solution for Spam account mitigation based on either existing Drupal.org account protection, or other method developed in collaboration with DA engineering staff.

  5. Enforce an additional terms of service acceptance during account creation with a third-party identity. 

    1. Enforce an admin-triggered re-acceptance in case of changed terms of service.
  6. Allow a method for a 3rd party site or service to offer 'Create account/login with your Drupal.org identity' 

    1. Enforce a requirement for only approved sites/services to be allowed to use this identity.
    2. Enforce a requirement that data shared is disclosed to users before account creation is confirmed. 

Technical constraints and additional requirements

The chosen solution must meet the following additional technical constraints and requirements: 

  • Strong preference for a self-hosted identity store, rather than a Saas/third party solution - if a Saas solution is proposed, privacy policy must be stronger-than industry standard, fully compliant with international regulation like GDPR, and data must be fully portable. 
  • After discovery interviews with the Drupal Association engineering team, we must decide which system is the source of truth for user account data: Drupal.org, a SAML database, or other.
  • Must support SSO from www.drupal.org to all sub-sites, and assistance with any necessary data migration.
  • Must support SSO for Drupal 7 and Drupal 9 - as Drupal.org sites will be migrated from version 7 to 9 one at a time. 
  • Must support SSO from www.drupal.org to our self-hosted GitLab instance, including assistance with any necessary migration of existing account data.

Vendor requirements

The Drupal Association will consider contracts from both individual developers and agencies.

An individual must: 

  • Be a member of the Drupal Association
  • Provide a portfolio of examples of prior identity and authentication projects

An agency must: 

  • Active Supporting Partner of the Drupal Association that qualifies for any level of the new Drupal Certified Partner Program
  • Provide a portfolio of examples of prior identity and authentication projects
  • Provide a statement or link that reflects your organization's commitment to Diversity, Equity, and Inclusion.

Other Considerations:

Please indicate if you’re willing to accept in-kind benefits if your bid comes in higher than our allocated budget. The cash portion of the budget should not exceed $28,000 USD.

The point person for this project at the Drupal Association is generally available between 4:00 PM - 11:00 PM UTC. We welcome global responses but we’d prefer meeting times to be within our standard business hours. We will make every effort to accommodate times outside of standard Pacific Time business hours.

Timeline

We would like the authentication and identity solution to be implemented no later than October 1st, 2021.

Individuals or Agencies who intend to participate should provide their bids and samples of portfolio work to the Drupal Association via email (tim@association.drupal.org) no later than Friday, May 14th at 5pm U.S. Pacific. Respondents will be notified of the decision no later than June 15th.