Documentation on Automatic role population from simpleSAMLphp attributes

Rule format: The format of the rules is as follows:
Drupal Role ID:Attribute Name,Separator (= or @=),Attribute Value[Rule Separator if multiple rules (a single pipe "|")]

Scenario 1: If a user has a specific e-mail address (e.g., john.doe@example.com), give them a specific role (e.g., the role with rid 3).

3:mail,=,john.doe@example.com

Scenario 2: If a user has any e-mail in a specific domain (e.g., example.com), give them a specific role (e.g., the role with rid 4).

4:mail,@=,john.doe@example.com

Scenario 3: If a user has a specified value (e.g., drupal-admin) in a specified attribute (e.g., groups), give them a specific role (e.g., the role with rid 5).

5:groups,=,drupal-admin

Scenario 4: all the rules combined (separated with pipes).

3:mail,=,john.doe@example.com|4:mail,@=,john.doe@example.com|5:groups,=,drupal-admin

If someone would like to provide a patch that incorporates this into an integrated help page that would be great.

Which attribute from simpleSAMLphp should be used as user mail address
for ex i have value in box like urn:oid:0.7.1234.1234567.123.1.3

so do i put like

4:urn:oid:0.7.1234.1234567.123.1.3,@=,john.doe@example.com

in Automatic role population from simpleSAMLphp attributes box

You'll need to convert your attribute names to friendly names. This is easily done by adding the following line to your config.php file for SimpleSAMLphp.

'class' => 'core:AttributeMap', 'oid2name'

Find the following stanza in config.php

/* Enable the authproc filter below to add URN Prefixces to all attributes
10 => array(
    'class' => 'core:AttributeMap', 'addurnprefix'
), */

Uncomment it and change it to:

// Enable the authproc filter below to add URN Prefixces to all attributes
10 => array(
    'class' => 'core:AttributeMap', 'oid2name'
), 

Then your attributes will be friendlier to deal with

i changed that..do i need to change anything else?

Edit: nevermind. figured it out. :)

Forgive me if this is a stupid question - I'm extremely new to SSO integration.

How can I set just one role to ANY user logging in with SAML? The site I'm working on has only one role that needs to be applied to SSO users, so I don't necessarily need a rule (there are no conditions other than use of SSO to be met), but I do need them to be automatically assigned this one specific user role. How would I go about doing that?

Thanks for your help!

You could define an authproc in SimpleSAMLphp to set an attribute for everyone who authenticates.

Put something like this into simplesamlphp/config/config.php under the authproc.sp section:

/* Enable the authproc filter below to add URN Prefixces to all attributes
10 => array(
    'class' => 'core:PHP', 'code' => '$attributes['SAMLUSER'] = array('1');',
), */

Then you could put in a rule like this:

3:SAMLUSER,=,1

i'm trying to do something very simple but it's not working.

i'm trying to add status 0 when the user is created and

the most important to write first and last name, i can't do it ,

i don't success to do it.

I am using Automatic role population successfully right now, but I have a question about "Reevaluate roles every time the user logs in" which I currently have enabled. "Reevaluate" has help text saying "This means users could loose any roles that have been assigned manually in Drupal" which I completely understand: if my pipe-separated list of rules says to give role 9 when there is a certain SAML attribute value, and that value is missing, role 9 will be revoked if it had been manually granted through some other means.

Let's say I have 10 roles, 1 through 10, and only 1 through 8 are mentioned in my pipe-separated list of rules. Therefore, it should only "reevaluate" a user's membership in roles 1 through 8. Roles 9 and 10 are so specific to my Drupal site that they aren't SAML attributes at all, which is why they cannot be in my pipe-separated list of rules. So why does the "reevaluate" process consistently and unconditionally revoke roles 9 and 10 from all users upon login?

Is the idea that I need to make a SAML attribute for every Drupal role? That seems unnecessary, because the beauty of SAML attributes is that multiple SPs can use them but these particular roles couldn't possibly matter to any other SP!

EDIT: Continuing this discussion on a currently open issue rather than a closed one: https://www.drupal.org/node/2117259

#7 works with a small correction - Use double quotes for all keys within the code fragment. Without this I was getting a white screen of death while doing a login/logout from Drupal.

/* Enable the authproc filter below to add URN Prefixces to all attributes
10 => array(
    'class' => 'core:PHP', 'code' => '$attributes["SAMLUSER"] = array("1");',
), */

Is there a way to see what values are being sent as friendly? I've been told the friendly names, but I can't see them. I can get the login to work using the URNs, but I can't using the friendly names which is also preventing me from doing automatic role assignments.

Thanks.

I was able to figure it out by adding this to my authsources.php for the SP I was using:

'authproc' => array(
			50 => array(
				'class' => 'core:AttributeMap',
				'urn:oid:0.9.2342.19200300.100.1.1' => 'uid',
				'urn:oid:1.3.6.1.4.1.5923.1.1.1.6' => 'mail',
				'urn:oid:1.3.6.1.4.1.5923.1.1.1.1' => 'affiliation',
			),
		),

I found the information here:
https://simplesamlphp.org/docs/stable/simplesamlphp-authproc

Which was linked to from here:
http://stackoverflow.com/questions/35224143/how-do-i-map-attributes-retu...

I have tried #3 then #1 Scenario 4 with 1:CN,=,WEB.ADMINS and it's not working. I'm assuming this is all done via Drupal's GUI configuration page and I don't need to change anything in the files and push it to Acquia, correct? Do I need to change anything on this? 'class' => 'core:AttributeMap', 'oid2name'
If I did exactly as #3 (not changing in values), how do I write the rules? In my attribute name, it is urn:oid:1.3.6.1.4.32549.1.5.3.1 and one of the values it returned is CN=WEB.ADMINS,OU=WEB,OU=SITE Groups,DC=ExampleSite,DC=edu and I want to CN=WEB.ADMINS. So, I want something like this for the rule.

1:CN,=,WEB.ADMINS

Second, I have also tried #12 but when I go into the /simplesaml/ authentication and test configured authentication sources, I chose the authproc and it failed with SimpleSAML_Error_Error: UNHANDLEDEXECPTION.

Third, I like to try #7/#10 but I'm not sure what SAMLUSER refers to. Is it referring to my urn:oid:1.3.6.1.4.32549.1.5.3.1 attribute name? Is array("1") refers to the first value in the urn:oid:1.3.6.1.4.32549.1.5.3.1 attribute array or the value "1" that is in the urn:oid:1.3.6.1.4.32549.1.5.3.1 array?

Any help or clarification is much appreciated.

Team,

I am facing the issue with our Drupal instance. We are using the below rules to map the roles.

1:memberOf,=,Computer Associates
1:memberOf,~=,Computer Associates

administrator:memberOf,~=,IT Systems Administrators
administrator:memberOf,=,IT Systems Administrators

3:mail,@=,ca.com

but no luck.

Is there some issue with role_id?

If yes how can i get the role_id details from web-ui?

Regards,
Jithendar

It would be great to get someone helping on this.

I got this assertion part:

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
external user, FullAccessUser,

Where all my roles are separated by ", " and my rule is: 3:role,=,external user|4:role,=,internal user

My question is what could be used as operator for identifying the relevant string in the assertion attribute value ?