Role assignment from attributes does not work when provisioning accounts

Read through your patch as we have the same need to sync roles on first login. Since roleMatchAdd() checks whether role.population is set, we don't need to check that separately, but I'd rather add additional logic to the already existing call to roleMatchAdd instead of making a separate call to the functions as in #2.

Also, #2 doesn't test whether $account was successfully created before trying to sync roles, so there is potential for fatal errors there.

I seem to have managed to get a broken space character into #3. Here is a fixed version.

+1 thanks for the patch, #4 worked for me and fulfills the expectation that role evaluations should happen on the new user register.

We recently upgraded to version 3.2 of this plugin and this issue doesn't seem to be fixed yet and the patch is no longer working on it. Tried a little myself but didn't get to far on trying to figure out how to fix it.

#4 patch that conflicts getting while updating core updates using composer getting the below error:
The error was: Cannot apply patch https://www.drupal.org/files/issues/2018-05-09/simplesamlphp_auth-role_a...
after updated drupal core 8.8.2 using composer update and there is a line no is mismatched in #4.
Here's a updated patch
Please review and provide feedback.

rugnesh88 patch paths should be relative to module root otherwise composer fails to apply such patches.

Attaching updated patch with relative paths.

Confirmed that the patch from #8 applies cleanly, provides the ability for role assignment when provisioning an account when "Reevaluate roles every time the user logs in" is disabled.

I'm going to set this to RTBC as it's a simple patch and has been confirmed by a few in the thread that it is working.

I found a bug in the patch from #8 and have written a new patch that fixes it. To see the bug:

1. On /admin/config/people/simplesamlphp_auth/sync:
1. Uncheck "Reevaluate roles every time the user logs in"
2. Check "Automatically enable SAML authentication for existing users upon successful login"
3. Fill out "Automatic role population from simpleSAMLphp attributes" with a valid role assignment, e.g, "administrator:email,@=,domain.com"
2. Create a new user:
1. The username should be the SAML authname.
2. Uncheck "Enable this user to leverage SAML authentication"
3. SAML login as new user
4. Expected: new user is not assigned new roles. Actual: new user is assigned new roles

Setting this back to needs review as it appears that it was the earlier patch that had been reviewed by the community. The latest one is 20x larger and needs re-reviewed.

I tried patch #11. It applied cleanly, but didn't resolve the role assignment issue and actually made the registration process fail (just times out), when before it was working ok (except that the role isn't getting auto-assigned).

I'm honestly not sure if the problem is the patch or not. We're using a custom module that extends simplesamlphp_auth, so we may have a bug in there that is interfering with things.

the patch in #11 resolved this issue for me!

Patch from #11 also solves this for me, thank you!

The #11 patch works for me. Without it my new user is not getting any of the configured roles.

The only way I could give the roles to a new user was by enabling the "Reevaluate roles every time the user logs in" setting, which removes any manually added roles.

I see no errors in the drupal logs, the patch applied to the latest 8.x-3.3 version.
Would be nice to have this committed.

As there is a new version for simplesamlphp_auth, I've created a reroll for this patch. The code is exactly the same, it just moved some lines.

The function "moduleHandler->getImplementations()" is deprecated in D10, so in order to keep it working on D10 i've adjusted the code. With these adjustments it should be compatible with D9 and D10.

Confirming that with the latest patch I can login as a new user and get the right roles assigned to the user with Drupal 10.

I forgot to replace a part of the example I used, here is the updated version.

I rerolled the patch since the previous one could not be applied any longer.

I needed to make some changes to the rerolled patch after we discovered some changed behavior on our site. We had been using the patch in #11, and it appears the reroll changed how it worked slightly. The way our SSO setup is configured, you get returned to Drupal right after registering, and should then be logged in. What we started seeing after applying the reroll in #21, was that the user was not instantly logged in. It seems the new patch started doing

return $account;

Where the #11 patch was keeping what the module was already doing.

$this->synchronizeUserAttributes($account, TRUE);
return $this->externalauth->userLoginFinalize($account, $authname, 'simplesamlphp_auth');

This new patch puts it back to the previous code, so that the user's attributes get synced and they are logged in at the end.