Contrib.social

Why isn't "Authenticated" an option in the "Roles allowed for linking" checkboxes?

Open on Drupal.org β†’
Created on 1 September 2023, 10 months ago
Updated 15 September 2023, 10 months ago

Problem/Motivation

We have a use case where we want everyone to login if they have an SSO account, and not necessarily require a role. It doesn't seem like this is possible. Is there a reason that the "Roles allowed for linking" checkboxes don't allow for the default "Authenticated" role for this case?

Steps to reproduce

Proposed resolution

πŸ’¬ Support request
Status

Closed: duplicate

Version

3.0

Component

Miscellaneous

Created by

πŸ‡ΊπŸ‡ΈUnited States Dave Reid Nebraska πŸ‡ΊπŸ‡Έ

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @Dave Reid
  • Comment 10 months ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    (Provided you have checked at least one of the "enable matching" checkboxes: )

    if you want to link a SAML login to a pre-existing not-linked-yet Drupal account that has more roles than "authenticated"... then all those roles must be explicitly allowed here. (A Drupal account with at least one not-explicitly-allowed role cannot be linked, because "is considered privileged" . This "roles" option was added later as a security hardening.)

    if you want to link a SAML login to a pre-existing not-linked-yet Drupal account that has only the authenticated user role, then that is automatically allowed. (Because that user is not 'privileged' in any way.)
    Put differently: the reason "Authenticated user" is not explicitly listed, is: it never makes sense to leave that unchecked -- the option is then useless because no not-linked-yet users can be linked at all (because all users have this role).

    --

    You're right that the UI description is... not ideal. Every time I see this option, I need to think hard about what exactly it means again, which proves that this needs improvement.

    (Also: if your system regularly adds new roles, then accounts having those new roles cannot be linked until you add the role to this configuration option too -- see πŸ’¬ Design of map_users_roles setting is problematic Fixed )

  • Comment 10 months ago β†’
    πŸ‡ΈπŸ‡¦Saudi Arabia ishore

    I've just installed samlauth and also came across this issue. We have hundreds of user roles and they're being created automatically. Having to check this module every day to tick any new roles would be very burdensome.

    Our roles all come with the same privileges, so allowing linking for any role is what I'm looking for. Or perhaps negating the condition, allowing all roles to link except for those ticked.

  • Comment 10 months ago β†’
    πŸ‡³πŸ‡±Netherlands roderik Amsterdam,NL / Budapest,HU

    Please apply the patch in πŸ’¬ Design of map_users_roles setting is problematic Fixed . I'll look at that as unpaid time allows. (I'm slowly leaning toward applying something very close to it, though with improved UI and documentation.)

  • Comment 10 months ago β†’
    πŸ‡ΈπŸ‡¦Saudi Arabia ishore

    Worked a treat, thanks!

  • Status changed to Closed: duplicate 10 months ago
  • Comment 10 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States Dave Reid Nebraska πŸ‡ΊπŸ‡Έ

    Yeah, I think this is covered by πŸ’¬ Design of map_users_roles setting is problematic Fixed for us as well, that patch worked great to help regular authenticated users to be logged in.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024