Allow redirecting from login form directly to the /saml/login route

Created on 1 September 2023, over 1 year ago
Updated 9 February 2024, 11 months ago

Problem/Motivation

When using a single SSO provider and enforcing that everyone has to login via SSO, rather than them seeing the login form and clicking the link, I would rather the user get redirected directly to the SSO right away.

Proposed resolution

Add a new boolean config for force login form to redirect to SSO login.

Feature request
Status

Fixed

Version

3.0

Component

Code

Created by

🇺🇸United States dave reid Nebraska USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @dave reid
  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.5 + Environment: PHP 7.4 & MySQL 5.7
    last update over 1 year ago
    4 pass
  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.5 + Environment: PHP 7.4 & MySQL 5.7
    last update over 1 year ago
    4 pass
  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.5 + Environment: PHP 7.4 & MySQL 5.7
    last update over 1 year ago
    2 fail
  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.5 + Environment: PHP 7.4 & MySQL 5.7
    last update over 1 year ago
    2 fail
  • Status changed to Needs work over 1 year ago
  • 🇺🇸United States dave reid Nebraska USA
  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.5 + Environment: PHP 7.4 & MySQL 5.7
    last update over 1 year ago
    2 fail
  • 🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU

    Uhm... I've kept going back and forth on several considerations while thinking about this patch. To keep the story somewhat short, my current state of mind is:

    • This is a viable addition to the module. (I felt some resistance because 1) many people won't want this because they have some privileged users needing to log in locally; 2) the "it can be achieved by other modules" comment in the README. But really the redirect from this one login screen, belongs in this module.)
    • I should not have added the 'login_link_show' boolean config option on top of the string/label; instead, changed it to just the label and just not showing it when empty. I can still drop it while maintaining backward compatibility, and will likely do so.

    FWIW your option to have a default value for the label is generally viable, but I don't want to make that change (thereby making the link show up for everyone who upgrades) in a minor version update.

    When I drop this checkbox, there can likely be a new boolean option, where TRUE (not FALSE) means redirect, and the #states stuff can influence the 'drupal_login_roles' setting.
    (I don't know if a new boolean option is better or worse than having a special value in 'drupal_login_roles' that means "never show the login screen at all". Probably better.)

    Will think about it again after finishing some other changes.

  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.5 + Environment: PHP 7.4 & MySQL 5.7
    last update 12 months ago
    2 fail
  • Status changed to Needs review 12 months ago
  • 🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU

    As said earlier:

    • removed (bool) 'login_link_show' setting
    • added (bool) 'login_auto_redirect' setting, whose use is inverted, and not dependent on / entangled with the 'login_link_title' setting. (This also means the login link is still visible on login blocks.)

    I'm likely to check if I can exchange RedirectUserLoginFormSubscriber for a subscriber that sits on RoutingEvents::ALTER instead, and just execute the login code + redirect from /user/login directly to the IdP without going through /saml/login in between.

    I don't know where the current test failure comes from. It's possible that it's a failure in the 8.x-3.x branch. I have to fix my somehow-broken ability to run PHPUnit locally.

  • Open in Jenkins → Open on Drupal.org →
    Core: 9.5.5 + Environment: PHP 7.4 & MySQL 5.7
    last update 12 months ago
    4 pass
  • Status changed to Fixed 12 months ago
  • 🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU

    Merged. I did mess up the tests a few days ago - now fixed.

    My remark about "exchange RedirectUserLoginFormSubscriber for a subscriber that sits on RoutingEvents::ALTER instead" is senseless; the better solution is to have RedirectUserLoginFormSubscriber immediately do the saml/login stuff and redirect to the IDP.

    I first need to fix 📌 Reimplement response caching on login/logout routes Active for that, though.

  • Issue was unassigned.
  • 🇳🇱Netherlands roderik Amsterdam,NL / Budapest,HU
  • Automatically closed - issue fixed for 2 weeks with no activity.

  • 🇧🇬Bulgaria yivanov

    I was just looking for that feature. When is it planned to be released?

Production build 0.71.5 2024