Role assignment from attributes does not work when provisioning accounts

Created on 14 July 2017, over 7 years ago
Updated 8 August 2024, 3 months ago

Role assignment from attributes does not work when provisioning accounts

Steps to Reproduce

This assumes simplesaml is setup and configured appropriately.

  1. Feature "Register users (i.e., auto-provisioning)" (simplesamlphp_auth.settings.autoenablesaml)is enabled
  2. Feature "Automatic role population from simpleSAMLphp attributes" (simplesamlphp_auth.settings.role.population) is configured correctly
  3. Feature "Reevaluate roles every time the user logs in" (simplesamlphp_auth.settings.role.eval_every_time) is disabled
  4. Use /saml_login to use SSO authentication as a user that does not have an existing Drupal user account
  5. Once new Drupal user account is provisioned and the user is authenticated with Drupal, observe the user only has authenticated user role, but does not have user roles configured in #2 above.

Expected Results

I expected the user roles configured from the attributes are assigned on the new provisioned Drupal user account.

Notes

  • This configuration setting is stored as simplesamlphp_auth.settings.role.populate
  • This configuration setting is only used in the SimplesamlphpDrupalAuth service on line SimplesamlphpDrupalAuth.php:297
  • This is found in getMatchingRoles method.
  • The getMatchingRoles method is only invoked from roleMatchAdd method
  • The roleMatchAdd method is invoked from externalLoginRegister method only when role.eval_every_time is TRUE, so only when the "Reevaluate roles every time the user logs in" is enabled.

Proposed Solution

  • Use roleMatchAdd method to assign user roles when new accounts are provisioned
  • Update config form(s) with help text for feature "Register users (i.e., auto-provisioning)"
πŸ› Bug report
Status

Needs review

Version

4.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States jasonawant New Orleans, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡³πŸ‡±Netherlands arantxio Dordrecht

    As there is a new version for simplesamlphp_auth, I've created a reroll for this patch. The code is exactly the same, it just moved some lines.

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 10.0.7 + Environment: PHP 8.1 & MariaDB 10.3.22
    last update over 1 year ago
    Composer require failure
  • πŸ‡³πŸ‡±Netherlands arantxio Dordrecht

    The function "moduleHandler->getImplementations()" is deprecated in D10, so in order to keep it working on D10 i've adjusted the code. With these adjustments it should be compatible with D9 and D10.

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 9.5.x + Environment: PHP 8.1 & MariaDB 10.3.22
    last update over 1 year ago
    Composer require failure
  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 9.5.x + Environment: PHP 8.1 & MariaDB 10.3.22
    last update over 1 year ago
    Composer require failure
  • πŸ‡³πŸ‡±Netherlands Johan den Hollander

    Confirming that with the latest patch I can login as a new user and get the right roles assigned to the user with Drupal 10.

  • Open in Jenkins β†’ Open on Drupal.org β†’
    Core: 10.0.7 + Environment: PHP 8.1 & MariaDB 10.3.22
    last update over 1 year ago
    Composer require failure
  • πŸ‡³πŸ‡±Netherlands arantxio Dordrecht

    I forgot to replace a part of the example I used, here is the updated version.

  • πŸ‡³πŸ‡±Netherlands roaldnel

    I rerolled the patch since the previous one could not be applied any longer.

  • πŸ‡ΊπŸ‡ΈUnited States dswier

    I needed to make some changes to the rerolled patch after we discovered some changed behavior on our site. We had been using the patch in #11 πŸ› Role assignment from attributes does not work when provisioning accounts Needs review , and it appears the reroll changed how it worked slightly. The way our SSO setup is configured, you get returned to Drupal right after registering, and should then be logged in. What we started seeing after applying the reroll in #21, was that the user was not instantly logged in. It seems the new patch started doing
    return $account;
    Where the #11 patch was keeping what the module was already doing.

    $this->synchronizeUserAttributes($account, TRUE);
    return $this->externalauth->userLoginFinalize($account, $authname, 'simplesamlphp_auth');
    

    This new patch puts it back to the previous code, so that the user's attributes get synced and they are logged in at the end.

  • πŸ‡³πŸ‡ΏNew Zealand jonathan_hunt

    I think this patch needs work as it places invocation of roleMatchSync() inside the condition for new account, so role sync will only be evaluated for newly provisioned accounts and not for subsequent logins.

  • πŸ‡ΈπŸ‡ͺSweden UlfG

    Could not understand what i did wrong, checked issue queue. Found this and applied patch in #22
    Now it works as intended

    Thank you!

Production build 0.71.5 2024