Unable to masquerade when logging in via SAML

Having the same issue. Noticed it has to do with the user I was masquerading to didn't have a role that was enabled for local login

Can cofirm. Users you want to masquerade to must be specified in "Which users should be allowed to login with local accounts?", or leave blank for all.

This is closely related to #2478499: User 1: Automatic Logout after saving configuration

It's exactly the same code which logs out users not authenticated from simplesaml.

I've taken a closer look at this and found a solution, see patch.

It is as Zekvyrin points out a problem with simplesamlphp_auth_user_logout - it logges out "too much".

I've not been able to solve the "problem", I've found a way around it. Caveat emptor.

I considered two options:
1) Patch masquerade to set a session variable before invoking user_logout which runs simplesamlphp_auth_user_logout AND patch simplesamlphp_auth to check for this variable.
2) Find another way that only affects simplesamlphp_auth.

This patch incorporates option 2 by checking the backtrace for the two masquerade-functions involved when invoking user_logout.

Updated patch. Switched out ddebug_backtrace with debug_backtrace since the first one requires that the user has access to devel and normal users should not.

Here is an 8.x patch that relies on #2975124: Masquarade Saml compatibility issue and then checks for the session key, much less hackery required but it does need a masquerade patch too per the previous issue.

Also, you will likely also need the patch from #2975184: Masquerading as user not authenticated causes logout to remain logged in.

Masquerade issue commited

I can confirm the patch #6 works for me, with the latest dev branch of the masquerade module.

Thanks @Berdir for the patch and @andypost for the tip!

This is helpful thanks @andypost and @Berdir!

New beta released https://www.drupal.org/project/masquerade/releases/8.x-2.0-beta3

There's also a related issue here: #2975184: Masquerading as user not authenticated causes logout, you might need that if you disallow local logins for example. Testing of that would be appreciated so I can commit both. FWIW, this patch should also switch to doing a hasService() && isMasquerading approach to use the API like the new patch over there.

Rerolled

We faced the same issue in Drupal 7 and were able to fix it by applying this patch from the masquerade module (it has been committed to 7.x-1.x-dev but has not been included in a stable release yet): https://www.drupal.org/project/masquerade/issues/2124113#comment-11760980

#11 working great!

Encountered a fatal after a D9 upgrade when trying to masquerade while being logged in using simplesaml because the $account parameter is a User object (not AccountProxy) which doesn't have the setAccount() function.

Created an issue fork with a solution based on the patch in #14, opted to check if the masquerade module is enabled and leaving it up to that module to indicate if the user is masquerading.

Hello,

I also found this problem and although they say that #14 works, for me it worked only after applying it also in the Subscriber.

Here I leave my change and the difference between #14 and my change.

#21 worked here.

This looks good to me as well.

Would be nice to implement another solution except hardcoding 'masquerading' session check to simplesamlphp_auth.
Also good idea to Close with won't do.

What do you think?