Flag for disabling locally

I don't think there's all that much that the module is doing.

I am assuming you don't mean that the /saml/* routes should be inaccessible. Just don't use them.

Then there are a few settings that change 'regular login':

• Roles allowed to use Drupal login also when associated with a SAML login (drupal_login_roles, array -- in -dev version, this can be set to ['anonymous'] to allow everyone, per #3211479: Design of map_users_roles setting is problematic. In a currently-released version you must set all allowed roles.)
• Recently: Auto redirect Drupal login screen to SAML (login_auto_redirect, bool - default false)

Is it specifically those things (probably the first) that's messing with your local/CI ability to do something? Because I can't think of any other, from the top of my head.

I don't see the list of settings that influence 'regular' behavior growing much beyond this. So I'm not convinced that an extra configuration option will improve anything. So maybe this is more an issue of documenting this in the README?

Here is my use case with the module's latest stable version (8.x-3.9)

1.- On LOCAL, I cannot use drush uli to login as existing users, because the Drupal login functionality is disabled in favor of University SSO for all user roles. I dont see an option for login auto-redirect nor is the anonymous user listed as a checkbox in the UI for allowed roles.

2.- On LOCAL, when I try to create a user I get an exception:

The website encountered an unexpected error. Please try again later.

Drupal\Core\Entity\EntityStorageException: SP private key not found. in Drupal\Core\Entity\Sql\SqlContentEntityStorage->save() (line 817 of core/lib/Drupal/Core/Entity/Sql/SqlContentEntityStorage.php).
Drupal\samlauth\SamlService->getSamlAuth('acs') (Line: 793)
Drupal\samlauth\SamlService->getAttributeByConfig('user_name_attribute') (Line: 179)
samlauth_user_presave(Object)
call_user_func_array(Object, Array) (Line: 409)
Drupal\Core\Extension\ModuleHandler->Drupal\Core\Extension\{closure}(Object, 'samlauth') (Line: 388)
Drupal\Core\Extension\ModuleHandler->invokeAllWith('user_presave', Object) (Line: 416)
Drupal\Core\Extension\ModuleHandler->invokeAll('user_presave', Array) (Line: 215)
Drupal\Core\Entity\EntityStorageBase->invokeHook('presave', Object) (Line: 900)
Drupal\Core\Entity\ContentEntityStorageBase->invokeHook('presave', Object) (Line: 529)

3.- I cannot easily disable the samlauth module on LOCAL because it is required by the university-wide distro so I have to also manually edit the distro module dependencies first, then disable the module.

4.- It is also less than ideal to have to go to the module configuration screens to change the roles that are allowed to use local Drupal login, this university site has 30 roles.

5.- Both options 3 and 4 are cumbersome to do manually and hard to document for other devs.

It would be great if this module had a flag to disable the samlauth_user_presave() hook and other Drupal touchpoints that I can add to settings.local.php to disable the module on LOCAL so that I can create user accounts with different levels of user roles for testing, without having to enable/disable the module, modify the distro module dependencies, and/or change the allowed roles via UI each time I sync database from PROD.

Edit: I can attach the module's configuration settings yml file if it would be of any help. Maybe there is already a setting that I can just override via settings.local.php to disable things, but I don't know which one it might be.

There's a patch that works around item 2 in #3 at https://www.drupal.org/project/samlauth/issues/2925171#comment-14904456

I'm going to set "fixed", among others for attribution to kick in. Feel free to reopen with extra info / response.

===

Ah, that pesky hook_user_presave. Thanks for pointing me to it. I see it interferes with new user creation.

Fixed now. I added code that should have the same effect as #2925171-16 but does not need an extra flag.

For the rest, I'm still not convinced that we need a new flag for "disabling locally". All other reported issues have to do with restricting local login... which can all be unset. And I put some drush commands in the README (see the above commit).

@jwilson3:

1.- On LOCAL, I cannot use drush uli to login as existing users, because the Drupal login functionality is disabled in favor of University SSO for all user roles. I dont see an option for login auto-redirect nor is the anonymous user listed as a checkbox in the UI for allowed roles.

I don't know why drush uli isn't working. It works for me locally Unless my memory is failing me: we are not restricting drush uli because "a user who gained drush access already can do pretty much anything anyway".

There is now an option for auto-redirecting /user/login to SAML, which wasn't there yet when you wrote your comment.

So both cases look like custom code additions. A module flag can't override that custom code, you'll need to get people to change the custom code. (If they are looking for some module config option to use for the basis to decide whether to restrict login: I suggest either of the options we're discussing/documenting here.)

You don't need to have the "Anonymous" role listed as a checkbox in the UI for allowed roles. What you are looking for is the "Authenticated" role, which every user has. Check that, and every user is allowed to log in.

4.- It is also less than ideal to have to go to the module configuration screens to change the roles that are allowed to use local Drupal login, this university site has 30 roles.

5.- Both options 3 and 4 are cumbersome to do manually and hard to document for other devs.

Not dependent on the number of roles. Just check "Authenticated" and you're good to go. I included the drush command in the README, which seems pretty easy to document: drush config:set --input-format=yaml samlauth.authentication drupal_login_roles '["authenticated"]'.