Problem/Motivation
It is currently impossible to retrieve the information about the externally authenticated user. Many IdPs support a wide range of attributes that can hold detailed information about the user. Using these attributes, it is possible not only to provide single sign-on for the user, but also to maintain consistent and up-to-date information about the user throughout services that he uses. In the case of Drupal, only e-mail and group membership information are effectively usuable, but this is still an interesting possibility.
Proposed solution
I suggest creating two new configuration variables - webserver_auth_email_from_idp and webserver_auth_ext_groups_roles_map, which will regulate retrieval of e-mail and group membership information, respectively, from an external IdP. The former variable is a TRUE/FALSE option, while the latter is a text area that can contain a mapping of external groups to roles in the format external_group:role;external_group:role...
(pairs of external groups and Drupal roles mutually separated by semicolons and internally separated by colons).
This retrieval will be implemented by two new functions - _webserver_auth_update_remote_user_info() and _webserver_auth_update_remote_user_roles(). To ensure not only the initial retrieval of the information, but also its potential subsequent updates, at every login, _webserver_auth_attempt_login() will call _webserver_auth_update_remote_user_info(). This function will retrieve the user's e-mail from the REMOTE_USER_EMAIL environment variable, and if it is different from the one in the Drupal's database, it will update it in the database. Afterwards, it will call _webserver_auth_remote_user_roles(), which will in turn retrieve external group membership information from the REMOTE_USER_GROUP_* environment variables and use the mapping of external groups to roles in webserver_auth_ext_groups_roles_map (that is parsed beforehand) to determine what Drupal roles are currently assigned to the user and according to that, it unassigns and/or assigns roles to the user in the database.
Additionally, the e-mail field in the user account modification form is disabled if webserver_auth_email_from_idp is TRUE.
User interface changes
Two new options will be available on the module's configuration page - if the 'Advanced settings' section is expanded, the 'Retrieve users' email from REMOTE_USER_EMAIL variable' and 'External groups to site's roles mapping' settings will regulate the functionality added by this patch as described above.
As already mentioned above, the e-mail field in the user account modification form is disabled if webserver_auth_email_from_idp is TRUE.
See screenshots appended.
Files
I have tested this solution and it worked - see file patch4.patch. Note that this patch expects that patches for issues https://www.drupal.org/node/2859664, https://www.drupal.org/node/2859747 and https://www.drupal.org/node/2859975 have been applied and it also contains few visual code tweaks that bring the some additions and modifications from these patches into line with the module's coding conventions.
Comment | File | Size | Author |
---|---|---|---|
#2 | patch4.patch | 11.39 KB | rkalinec |
2_NewSettings.png | 153.71 KB | rkalinec | |
1_RolesMapped.png | 109.54 KB | rkalinec |
Comments
Comment #2
rkalinec CreditAttribution: rkalinec commented