Problem/Motivation

It is currently impossible to retrieve the information about the externally authenticated user. Many IdPs support a wide range of attributes that can hold detailed information about the user. Using these attributes, it is possible not only to provide single sign-on for the user, but also to maintain consistent and up-to-date information about the user throughout services that he uses. In the case of Drupal, only e-mail and group membership information are effectively usuable, but this is still an interesting possibility.

Proposed solution

I suggest creating two new configuration variables - webserver_auth_email_from_idp and webserver_auth_ext_groups_roles_map, which will regulate retrieval of e-mail and group membership information, respectively, from an external IdP. The former variable is a TRUE/FALSE option, while the latter is a text area that can contain a mapping of external groups to roles in the format external_group:role;external_group:role... (pairs of external groups and Drupal roles mutually separated by semicolons and internally separated by colons).
This retrieval will be implemented by two new functions - _webserver_auth_update_remote_user_info() and _webserver_auth_update_remote_user_roles(). To ensure not only the initial retrieval of the information, but also its potential subsequent updates, at every login, _webserver_auth_attempt_login() will call _webserver_auth_update_remote_user_info(). This function will retrieve the user's e-mail from the REMOTE_USER_EMAIL environment variable, and if it is different from the one in the Drupal's database, it will update it in the database. Afterwards, it will call _webserver_auth_remote_user_roles(), which will in turn retrieve external group membership information from the REMOTE_USER_GROUP_* environment variables and use the mapping of external groups to roles in webserver_auth_ext_groups_roles_map (that is parsed beforehand) to determine what Drupal roles are currently assigned to the user and according to that, it unassigns and/or assigns roles to the user in the database.
Additionally, the e-mail field in the user account modification form is disabled if webserver_auth_email_from_idp is TRUE.

User interface changes

Two new options will be available on the module's configuration page - if the 'Advanced settings' section is expanded, the 'Retrieve users' email from REMOTE_USER_EMAIL variable' and 'External groups to site's roles mapping' settings will regulate the functionality added by this patch as described above.
As already mentioned above, the e-mail field in the user account modification form is disabled if webserver_auth_email_from_idp is TRUE.
See screenshots appended.

Files

I have tested this solution and it worked - see file patch4.patch. Note that this patch expects that patches for issues https://www.drupal.org/node/2859664, https://www.drupal.org/node/2859747 and https://www.drupal.org/node/2859975 have been applied and it also contains few visual code tweaks that bring the some additions and modifications from these patches into line with the module's coding conventions.

CommentFileSizeAuthor
#2 patch4.patch11.39 KBrkalinec
patch4.patch11.39 KBrkalinec
2_NewSettings.png153.71 KBrkalinec
1_RolesMapped.png109.54 KBrkalinec
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

rkalinec created an issue. See original summary.

rkalinec’s picture

Issue summary: View changes
FileSize
11.39 KB