Contrib.social

Role assignment from attributes does not work when provisioning accounts

Open on Drupal.org β†’
Created on 14 July 2017, over 7 years ago
Updated 15 March 2023, about 2 years ago

Role assignment from attributes does not work when provisioning accounts

Steps to Reproduce

This assumes simplesaml is setup and configured appropriately.

  1. Feature "Register users (i.e., auto-provisioning)" (simplesamlphp_auth.settings.autoenablesaml)is enabled
  2. Feature "Automatic role population from simpleSAMLphp attributes" (simplesamlphp_auth.settings.role.population) is configured correctly
  3. Feature "Reevaluate roles every time the user logs in" (simplesamlphp_auth.settings.role.eval_every_time) is disabled
  4. Use /saml_login to use SSO authentication as a user that does not have an existing Drupal user account
  5. Once new Drupal user account is provisioned and the user is authenticated with Drupal, observe the user only has authenticated user role, but does not have user roles configured in #2 above.

Expected Results

I expected the user roles configured from the attributes are assigned on the new provisioned Drupal user account.

Notes

  • This configuration setting is stored as simplesamlphp_auth.settings.role.populate
  • This configuration setting is only used in the SimplesamlphpDrupalAuth service on line SimplesamlphpDrupalAuth.php:297
  • This is found in getMatchingRoles method.
  • The getMatchingRoles method is only invoked from roleMatchAdd method
  • The roleMatchAdd method is invoked from externalLoginRegister method only when role.eval_every_time is TRUE, so only when the "Reevaluate roles every time the user logs in" is enabled.

Proposed Solution

  • Use roleMatchAdd method to assign user roles when new accounts are provisioned
  • Update config form(s) with help text for feature "Register users (i.e., auto-provisioning)"
πŸ› Bug report
Status

Needs review

Version

4.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States jasonawant New Orleans, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 2 years ago β†’
    πŸ‡³πŸ‡±Netherlands arantxio Dordrecht

    As there is a new version for simplesamlphp_auth, I've created a reroll for this patch. The code is exactly the same, it just moved some lines.

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 10.0.7 + Environment: PHP 8.1 & MariaDB 10.3.22
    last update almost 2 years ago
    Composer require failure
  • Comment almost 2 years ago β†’
    πŸ‡³πŸ‡±Netherlands arantxio Dordrecht

    The function "moduleHandler->getImplementations()" is deprecated in D10, so in order to keep it working on D10 i've adjusted the code. With these adjustments it should be compatible with D9 and D10.

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 9.5.x + Environment: PHP 8.1 & MariaDB 10.3.22
    last update almost 2 years ago
    Composer require failure
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 9.5.x + Environment: PHP 8.1 & MariaDB 10.3.22
    last update almost 2 years ago
    Composer require failure
  • Comment almost 2 years ago β†’
    πŸ‡³πŸ‡±Netherlands Johan den Hollander

    Confirming that with the latest patch I can login as a new user and get the right roles assigned to the user with Drupal 10.

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 10.0.7 + Environment: PHP 8.1 & MariaDB 10.3.22
    last update almost 2 years ago
    Composer require failure
  • Comment almost 2 years ago β†’
    πŸ‡³πŸ‡±Netherlands arantxio Dordrecht

    I forgot to replace a part of the example I used, here is the updated version.

  • Comment over 1 year ago β†’
    πŸ‡³πŸ‡±Netherlands roaldnel

    I rerolled the patch since the previous one could not be applied any longer.

  • Comment about 1 year ago β†’
    πŸ‡ΊπŸ‡ΈUnited States dswier

    I needed to make some changes to the rerolled patch after we discovered some changed behavior on our site. We had been using the patch in #11 πŸ› Role assignment from attributes does not work when provisioning accounts Needs review , and it appears the reroll changed how it worked slightly. The way our SSO setup is configured, you get returned to Drupal right after registering, and should then be logged in. What we started seeing after applying the reroll in #21, was that the user was not instantly logged in. It seems the new patch started doing
    return $account;
    Where the #11 patch was keeping what the module was already doing.

    $this->synchronizeUserAttributes($account, TRUE);
return $this->externalauth->userLoginFinalize($account, $authname, 'simplesamlphp_auth');

    This new patch puts it back to the previous code, so that the user's attributes get synced and they are logged in at the end.

  • Comment 11 months ago β†’
    πŸ‡³πŸ‡ΏNew Zealand jonathan_hunt

    I think this patch needs work as it places invocation of roleMatchSync() inside the condition for new account, so role sync will only be evaluated for newly provisioned accounts and not for subsequent logins.

  • Comment 8 months ago β†’
    πŸ‡ΈπŸ‡ͺSweden UlfG

    Could not understand what i did wrong, checked issue queue. Found this and applied patch in #22
    Now it works as intended

    Thank you!

  • Comment 2 months ago β†’
    πŸ‡¨πŸ‡¦Canada dylan donkersgoed London, Ontario

    dylan donkersgoed β†’ made their first commit to this issue’s fork.

  • Merge request !41Applied patch simplesamlphp_auth-role_assignment-2894945-22.patch β†’ (Open) created by dylan donkersgoed
  • Pipeline finished with Failed
    2 months ago
    Total: 156s
    #404905
  • Pipeline finished with Failed
    2 months ago
    Total: 160s
    #404966
  • Comment 2 months ago β†’
    πŸ‡¨πŸ‡¦Canada dylan donkersgoed London, Ontario

    I encountered an issue with this patch preventing hook_simplesamlphp_auth_existing_user from running. This was happening because the else that triggered it was moved inside of this if which checked for an existing user:

        if (!$account) {
      $existing_user = $this->entityTypeManager->getStorage('user')->loadByProperties(['name' => $authname]);
      $existing_user = $existing_user ? reset($existing_user) : FALSE;
      if ($existing_user) {

    which would not generally be true when you're implementing a custom hook_simplesamlphp_auth_existing_user() to look up the user by an attribute other than their name. I moved the else outside of this check like the original module and adjusted the linkUser method accordingly.

    Patch is attached. I also opened an MR with the patch and my new change.

    While the patch seems to be working for me now, I think there may still be some room for improvement. I don't know the full rationale for the drastic changes between patch 8 and patch 11, but I feel as though the patch may be doing more than it needs to to fix the issue, which may have other side-effects.

  • Comment 20 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States dswier

    I discovered another side effect issue that seems to have been introduced in the comment #21 reroll. When I first read the previous comment, it looked like it was about the same issue, but there is another case that prevents "Automatically enable SAML authentication for existing users upon successful login" from working as intended. Essentially from patch 21 onward, if the condition is met that an existing user is found, and 'autoenablesaml' is turned on, a message is logged saying that the two accounts will be linked(if debugging is enabled). The condition exits after this, and no action is actually taken to link the accounts. After going back and comparing different versions of the patch, I determined that these two lines had been removed from the aforementioned conditional.

              $this->externalauth->linkExistingAccount($authname, 'simplesamlphp_auth', $existing_user);
          $account = $existing_user;

    I'm attaching a patch that adds this functionality back, and is otherwise the same as patch #27.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024