samlauth 8.x-3.0-rc1

Please test this version, there will be a 8.x-3.0 release soonish. (Yes it works on Drupal 9 as well.)

The module is out of alpha now. That is: almost all outstanding half finished functionality (some of which stems from 2016) has been finished, and we're able to make a reasonable guarantee that we won't break compatibility during this major version. Because there's a clearer plan for the future: #2882568-6: Plan for SAML Authentication 4.x

It unfortunately doesn't mean (as said in the past) that the module has test coverage: #3202137: Write tests

Upgrading

Run update.php / drush updb.

If you had the 'Allow SAML users to log in directly' (drupal_saml_login) configuration setting turned on: this setting is superseded by a permission. Review whether you might want to turn the permission off for some user roles.

No really big things have changed since earlier versions (or indeed since 8.x-2.x) but - if you were relying on the internals of any of this module's classes earlier: test. A few (likely unimportant to you) methods have changed or been removed.

The 8.x-2.x branch is hereby marked "unsupported". The upgrade path is just as easy as from the 8.x-3.x version; just make sure your composer dependencies are met. The only reason for the major version jump in 2019 was a major version jump in the upstream php-saml dependency. Our own jump was because of an upstream security issue, and having no indication that the upstream 2.x version (which only supported PHP < 7.2) would keep being maintained.

Significant changes/fixes

• Add submodule with a UI for mapping SAML attributes to user fields. (#2900968 by rael9, droath, roderik)
• Add submodule with a UI for role assignment. (#3070028 by zeshan.ziya, droath, Antonnavi, piggito, rafaelferreir4, roderik)
• Proper handling of logout requests - a.o.: #3132942 by azinck, adamfranco, roderik; #3183933 by johnjw59: Allow External Redirects on Logout Responses.
• Add a configuration setting to log out the currently logged-in user when another user logs in through the IdP. Add warning messages when a user is logged in. (a.o. #3155968 by pvalappil, roderik)
• Change 'Allow SAML users to log in directly' (drupal_saml_login) configuration setting to a user permission. (#3201411)

Other fixes

• Fix Metadata being cached beyond the expiry date (#3144402 by pghaemim, roderik, larowlan)
• Even more work on preventing "Leaked Metadata" exceptions (#3136339 by byrond, roderik, joshua1234511: Leaked metadata when using Rules 3.0-alpha6 -and Content Access?)

Other enhancements

• Added method SamlAuthUserSyncEvent::isFirstLogin() for the benefit of subscribers who need to know this.
• Debug option to show all login/logout errors on screen.
• Display certificates/key formatted, in the configuration UI.
• #2912717 by validoll: Use the `Forwarded-For-*` headers for proxy
• #3125549 by vbouchet: Allow SSO authentication while maintenance mode is enabled
• #3170734 by joelpittet: Enable support for FriendlyName Attributes
• #3185846 by hexblot: Hide password change for SAML-authenticated users. E-mail field is hidden too.
• Make login/logout requests cacheable.
• Implement flood control on ACS/SLS routes.