Problem/Motivation

The value_map field, labeled Value conversions, states that "If this is left empty, the values from the IdP will be interpreted as machine names for Drupal roles."

However, if it is left empty, role mapping is skipped, with the logged message: "value_map is not configured; skipping role mapping."

Steps to reproduce

  1. Configure idp to have SAML attribute with Drupal roles
  2. Enable role mapping and set SAML attribute but leave Value conversions empty.
  3. Login with SAML
  4. See that mapping does not work and the above error message logged

Proposed resolution

Either implement the described feature OR remove it from description

Issue fork samlauth-3506668

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

laurielim created an issue. See original summary.

isak@websystem.se’s picture

Made a small patch that, if the config for value_map turns out empty, it'll fall back to roles machine names as the field description suggests.

dhruv.mittal’s picture

Assigned: Unassigned » dhruv.mittal

dhruv.mittal’s picture

Assigned: dhruv.mittal » Unassigned
Status: Active » Needs review

As patch has been deprecated and MR is easier to review so I raised MR.
Please Review

roderik made their first commit to this issue’s fork.

roderik’s picture

@isak@websystem.se thank you for the patch. (I was almost going to complicate the whole foreach with more if/then's , but just populating $value_map is much cleaner.)

However, I did not dare to touch this code without adding some tests, to make sure nothing breaks. This is finally done now, and I cleaned up a bunch of code that was IMHO now-unnecessary or hard to read.

In the process, I discovered that the module wasn't logging a warning if a role was sent by the IdP which cannot be mapped to a Drupal role. I believe I was intending that / this should be logged. (Though my intention from 5 years ago was... hard to read.) So I added that warning now, which is a bit of a behavior change... I hope noone's logs will get spammed too much, but I believe people will want to know.

  • roderik committed c8bba8a1 on 8.x-3.x authored by dhruv.mittal
    Issue #3506668 by isak@websystem.se, roderik: Fix empty value_map config...
roderik’s picture

Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

carstenhager’s picture

It would be great if this warning could be made optional or configurable.

In our setup, the IdP sends a large number of roles, but only a small subset (3 roles) is actually relevant in Drupal. This is intentional and not a misconfiguration.

With the current behavior, every unmapped / non-existing role coming from the IdP would generate a warning on each login. At our scale (100,000+ users), this would flood the logs very quickly without providing actionable information.

Making this warning optional (e.g. via configuration, log level, or a toggle to suppress warnings for unmapped roles) would help support both:

  • strict setups that want visibility into every mismatch, and
  • large-scale environments where ignoring unused IdP roles is expected behavior.
roderik’s picture

Thanks. I sometimes need to be reminded not to introduce behavior changes, for large sites' configurations.

The configuration option is now introduced. Logging warnings is true for new installs, but false for existing installs. 8.x-1.13 released.

  • roderik committed d972bc43 on 8.x-3.x
    fix: #3506668 samlauth_user_roles: Add log_unknown setting, true by...

  • roderik committed b8fe29b2 on 8.x-3.x
    fix: #3506668 samlauth_user_roles: Fix test and update notes.
    
roderik’s picture

Whoops. I hastily cut another release, just after the drupal.org outage / because I was afraid I might not have time. But now, tests fail on v8.x-3.13.

FWIW: the code is fine, the test is wrong. Fixed in next commit.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

roderik’s picture

And a final(?) comment: I was intending for the logging to be enabled on new installations, but that wasn't done until now. Will be done in 8.x-3.15.