Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Role assignment from attributes does not work when provisioning accounts
Steps to Reproduce
This assumes simplesaml is setup and configured appropriately.
- Feature "Register users (i.e., auto-provisioning)" (simplesamlphp_auth.settings.autoenablesaml)is enabled
- Feature "Automatic role population from simpleSAMLphp attributes" (simplesamlphp_auth.settings.role.population) is configured correctly
- Feature "Reevaluate roles every time the user logs in" (simplesamlphp_auth.settings.role.eval_every_time) is disabled
- Use /saml_login to use SSO authentication as a user that does not have an existing Drupal user account
- Once new Drupal user account is provisioned and the user is authenticated with Drupal, observe the user only has authenticated user role, but does not have user roles configured in #2 above.
Expected Results
I expected the user roles configured from the attributes are assigned on the new provisioned Drupal user account.
Notes
- This configuration setting is stored as simplesamlphp_auth.settings.role.populate
- This configuration setting is only used in the SimplesamlphpDrupalAuth service on line SimplesamlphpDrupalAuth.php:297
- This is found in getMatchingRoles method.
- The getMatchingRoles method is only invoked from roleMatchAdd method
- The roleMatchAdd method is invoked from externalLoginRegister method only when role.eval_every_time is TRUE, so only when the "Reevaluate roles every time the user logs in" is enabled.
Proposed Solution
- Use roleMatchAdd method to assign user roles when new accounts are provisioned
- Update config form(s) with help text for feature "Register users (i.e., auto-provisioning)"
Comment | File | Size | Author |
---|---|---|---|
#22 | simplesamlphp_auth-role_assignment-2894945-22.patch | 21.06 KB | dswier |
#21 | simplesamlphp_auth-role_assignment-2894945-21.patch | 22.1 KB | roaldnel |
#20 | interdiff_17-19.txt | 4.67 KB | Arantxio |
#20 | simplesamlphp_auth-role_assignment-2894945-19.patch | 20.21 KB | Arantxio |
#18 | interdiff_17-18.txt | 4.66 KB | Arantxio |
Comments
Comment #2
jasonawantHere's a patch that provides this functionality. Not sure if it's the desired approach. Please review and provide feedback.
Comment #3
jcalais CreditAttribution: jcalais at Siili Solutions commentedRead through your patch as we have the same need to sync roles on first login. Since roleMatchAdd() checks whether role.population is set, we don't need to check that separately, but I'd rather add additional logic to the already existing call to roleMatchAdd instead of making a separate call to the functions as in #2.
Also, #2 doesn't test whether $account was successfully created before trying to sync roles, so there is potential for fatal errors there.
Comment #4
jcalais CreditAttribution: jcalais at Siili Solutions commentedI seem to have managed to get a broken space character into #3. Here is a fixed version.
Comment #5
nsciacca+1 thanks for the patch, #4 worked for me and fulfills the expectation that role evaluations should happen on the new user register.
Comment #6
rklingaman CreditAttribution: rklingaman commentedWe recently upgraded to version 3.2 of this plugin and this issue doesn't seem to be fixed yet and the patch is no longer working on it. Tried a little myself but didn't get to far on trying to figure out how to fix it.
Comment #7
rugnesh88 CreditAttribution: rugnesh88 commented#4 patch that conflicts getting while updating core updates using composer getting the below error:
The error was: Cannot apply patch https://www.drupal.org/files/issues/2018-05-09/simplesamlphp_auth-role_a...
after updated drupal core 8.8.2 using composer update and there is a line no is mismatched in #4.
Here's a updated patch
Please review and provide feedback.
Comment #8
SurfinSpirit CreditAttribution: SurfinSpirit at FFW commentedrugnesh88 patch paths should be relative to module root otherwise composer fails to apply such patches.
Attaching updated patch with relative paths.
Comment #10
nord102Confirmed that the patch from #8 applies cleanly, provides the ability for role assignment when provisioning an account when "Reevaluate roles every time the user logs in" is disabled.
I'm going to set this to RTBC as it's a simple patch and has been confirmed by a few in the thread that it is working.
Comment #11
KFaceyI found a bug in the patch from #8 and have written a new patch that fixes it. To see the bug:
Comment #12
andrew.martin CreditAttribution: andrew.martin as a volunteer commentedSetting this back to needs review as it appears that it was the earlier patch that had been reviewed by the community. The latest one is 20x larger and needs re-reviewed.
Comment #13
banoodle CreditAttribution: banoodle at Kanopi Studios commentedI tried patch #11. It applied cleanly, but didn't resolve the role assignment issue and actually made the registration process fail (just times out), when before it was working ok (except that the role isn't getting auto-assigned).
I'm honestly not sure if the problem is the patch or not. We're using a custom module that extends simplesamlphp_auth, so we may have a bug in there that is interfering with things.
Comment #14
mikemadison CreditAttribution: mikemadison at Acquia commentedthe patch in #11 resolved this issue for me!
Comment #15
daveianoPatch from #11 also solves this for me, thank you!
Comment #16
Johan den Hollander CreditAttribution: Johan den Hollander at Finalist commentedThe #11 patch works for me. Without it my new user is not getting any of the configured roles.
The only way I could give the roles to a new user was by enabling the "Reevaluate roles every time the user logs in" setting, which removes any manually added roles.
I see no errors in the drupal logs, the patch applied to the latest 8.x-3.3 version.
Would be nice to have this committed.
Comment #17
ArantxioAs there is a new version for simplesamlphp_auth, I've created a reroll for this patch. The code is exactly the same, it just moved some lines.
Comment #18
ArantxioThe function "moduleHandler->getImplementations()" is deprecated in D10, so in order to keep it working on D10 i've adjusted the code. With these adjustments it should be compatible with D9 and D10.
Comment #19
Johan den Hollander CreditAttribution: Johan den Hollander at Finalist commentedConfirming that with the latest patch I can login as a new user and get the right roles assigned to the user with Drupal 10.
Comment #20
ArantxioI forgot to replace a part of the example I used, here is the updated version.
Comment #21
roaldnel CreditAttribution: roaldnel at Finalist commentedI rerolled the patch since the previous one could not be applied any longer.
Comment #22
dswier CreditAttribution: dswier commentedI needed to make some changes to the rerolled patch after we discovered some changed behavior on our site. We had been using the patch in #11, and it appears the reroll changed how it worked slightly. The way our SSO setup is configured, you get returned to Drupal right after registering, and should then be logged in. What we started seeing after applying the reroll in #21, was that the user was not instantly logged in. It seems the new patch started doing
Where the #11 patch was keeping what the module was already doing.
This new patch puts it back to the previous code, so that the user's attributes get synced and they are logged in at the end.