Contrib.social

ECA role evaluation with SAML login

Open on Drupal.org β†’
Created on 27 February 2024, 4 months ago
Updated 29 February 2024, 4 months ago

Problem/Motivation

Hi all,
I'm just learning how to use ECA, so please let me know if I'm missing a piece of information that could make my process work better.

My users are logging into my website through a SimpleSAMLphp connection from another Drupal site. In the simplesamlphp_auth module, I've got it setup to re-evaluate roles whenever a user logs in. Their roles are sent from the IdP (authentication website) to the SP (current site) and when they log in, their roles are updated to reflect any changes. From a user perspective, this seems to happen instantly and without issue.

The problem comes in when I use the ECA example of redirecting a user after login based on their role. What I've noticed is that the event sequence seems to go like this:

  1. User Logs in
  2. ECA grabs the user login event, checks their role and redirects them
  3. SimpleSAML updates the user's roles
  4. User has been redirected to wrong page because ECA events occurred before SimpleSAML update occurred.

On subsequent logins, when there is no role change, ECA works correctly and the user is redirected to the right page.

From a programmer's standpoint, I can see how ECA is working perfectly - it's redirecting based on the role it currently has access to. I'm not even sure this would be an ECA issue, it's probably a SimpleSAML_auth issue because it's firing later in the event queue. But I wanted to ask if there's a way I can get ECA to wait for SimpleSAML to do its thing or if there's a better template I can use to wait until the role update has been applied and then redirect the user after login?

Thank you :)

πŸ’¬ Support request
Status

Postponed: needs info

Version

1.1

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States rex.barkdoll

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @rex.barkdoll
  • Comment 4 months ago β†’
    πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    Thanks @rex.barkdoll for the great issue description, this makes the problem straightforward to understand. And your observations are perfect, that's precisely what's happening.

    To resolve that, I see 2 approaches:

    • SimpleSAML module implements a new event that they dispatch after they've finished the role sync. Then an ECA integration could be implemented that gets to know about that event and you could use that as your starting event.
    • SimpleSAML could raise their priority, so that their hook for the user login gets dispatched first.

    Both are on the SimpleSAML module and I could imagine that both are valid and would not only benefit ECA but also other use cases. From what you described, it feels as if the role sync needs to be the first thing to happen in any event. I would have thought it should even be part of the session initialization and not an after login hook. Would you mind reporting that with the SimpleSAML maintainers? We could maybe even move this issue over there, then I would stay in the loop and chime in if that was helpful in some way.

  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States rex.barkdoll

    Happy to, thank you for confirming my thought process and providing possible solutions :)

    This is the ticket I created on their issue queue: https://www.drupal.org/project/simplesamlphp_auth/issues/3424467 ✨ Raise SimpleSAML Role update priority in hook to work better with ECA Active

  • Status changed to Postponed: needs info 4 months ago
  • Comment 4 months ago β†’
    πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    Nice, thank you. I'm following that other issue now, so if any questions arise, I'll be able to comment there if I can. Setting this one to "Postponed ..." and add the other issue as related.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024