Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Make it possible to auto-enable SAML logins for existing Drupal users (by adding entries in the
authmap
table) based on the Drupal account's email address. This can be done in addition to the existing functionality that auto-enables SAML for accounts based on username.
This is a one-line change, and would make it much easier to implement sign-on using an email address SAML Attribute. This would be particularly useful in the case of a single sign-on IdP authenticating for several Drupal websites that may have different usernames for the same SAML Principal.
Comment | File | Size | Author |
---|---|---|---|
#8 | allow-modules-to-load-ext-user-2635152-8.patch | 849 bytes | roi |
#4 | simplesamlphp_auth-auto_enable_saml_based-2635152-4.patch | 7.71 KB | becw |
#3 | auto_enable_saml_based-2635152-3.patch | 731 bytes | hampercm |
Comments
Comment #2
hampercm CreditAttribution: hampercm at Acquia commentedComment #3
hampercm CreditAttribution: hampercm at Acquia commentedMy original patch had one of my debugging watchdog() calls contaminating it. Here's a corrected patch.
Comment #4
becw CreditAttribution: becw at Palantir.net for Acquia commentedI had the same need; I have a bunch of migrated users who I would like to log in by email address. I had a slightly more verbose solution, which makes this configurable, and also works when you enable SAML for individual accounts in Drupal.
Comment #5
pbuyle CreditAttribution: pbuyle at Floe design + technologies commented_simplesamlphp_auth_get_authname()
Infinite loop when
simplesamlphp_authname_source
isuid
. It seems a missing_simplesamlphp_auth_get_unique_id()
function should be called instead.Otherwise, the patch seems to be working fine when matching with the email.
Comment #6
pbuyle CreditAttribution: pbuyle at Floe design + technologies commentedComment #7
jnicola CreditAttribution: jnicola commentedTested the patch above for mapping via email. Works for me! Did not test UID infinite loop correlation. Perhaps keeping this to just email or username for now would be best?
Comment #8
roi CreditAttribution: roi as a volunteer commentedEnabling email is good but not the only field by which we should use SAML. In my site there's a need to retrieve some very specific substring from the SAML auth and look for it on one of the existing user's fields. My patch allows other modules to do that, and it also lets you use email, of course.
Comment #9
sherakama CreditAttribution: sherakama as a volunteer commentedI like roi's approach with the drupal_alter call instead of a switch statement. Roi's approach will make it much more flexible for other modules to hook in and provide their use case specific options.
Maybe we can provide the best of both worlds? Perhaps have username and email lookups by default and then hook out with drupal_alter?
Thanks
Comment #10
sherakama CreditAttribution: sherakama as a volunteer commentedI've been doing some of this work here: https://www.drupal.org/node/2745089