samlauth 8.x-3.1

Please disregard 8.x-3.0.

Changes since 3.0-RC2:

Fix SA-CONTRIB-2021-006 - possible access bypass, by way of password reset email.

Change the 'Allow SAML users to log in directly' permission introduced in 3.0-RC1 into a configuration option (set of roles), so it can be turned off for administrator roles.

Prevent users from logging in if they match an existing Drupal user but cannot be explicitly linked to it (because the Drupal user is linked from elsewhere) even though a corresponding linking option would allow this.

Expand/refine linking options.

Add list of existing links (authmap table entries) with a facility to remove individual links.

Add 'Tell disallowed users they must log in using SAML' (local_login_saml_error) config, turned off for new installs to prevent information disclosure.

Add 'Require assertions to be signed' (security_assertions_signed) config.

Add 'library default' option for Signature algorithm and make it default. (The library can occasionally update it; it updated from SHA1 to SHA256 for its v3, but our default setting was still at SHA1.)

Add 'Use Drupal base URL in toolkit library' (use_base_url) config, with the intent of making this the non-configurable situation in v4.x; deprecate 'use_proxy_headers' config option.

Upgrading:

Those still using 8.x-1.3: see the project README.

All: run update.php / drush updb.

Review the new 'Roles allowed to use Drupal login' setting (drupal_login_roles config). If you had 3.0-RC1 installed: any administrator roles are probably enabled here, and you might want to turn them off. If you did not have 3.0-RC1 installed yet: this supersedes the old single checkbox 'Allow SAML users to log in directly' (drupal_saml_login config) and if you had that turned on, you may want to turn this ability off for some user roles.

Review the new 'Tell disallowed users they must log in using SAML' checkbox (local_login_saml_error config); it is on for existing installations but you may want to turn it off if you think the extra security (less information disclosure) outweighs potential confusion.

If you had the 'Attempt to link SAML data to existing local users' checkbox (map_users config) enabled:

• Review the 'Attempt to link SAML data to existing local users' section (map_users_name / map_users_mail / map_users_roles config) which supersedes the single checkbox. You may want to turn some of them off for extra security (to prevent a subset of existing users from being linked).
• Please note: until now it was possible for a SAML/IdP user to log in as an existing Drupal user without the user being explicitly linked to that SAML/IdP user, if the Drupal user was already linked to a different SAML/IdP login. From this moment on, login will be denied in this case. If some of your users complain about not being able to log in anymore, their Drupal accounts are likely linked to an older SAML/IdP login that you should remove before they can log in again. A list of links is available at admin/config/people/saml/authmap.

If your 'Signature algorithm' is SHA1: change it (to 'library default' or anything else you prefer) to use current-day security standards.

Check the new 'Require assertions to be signed' (security_assertions_signed) setting; turning it on may provide extra security if your IdP previously did not allow you to turn 'Require messages to be signed' (security_messages_sign) on.

Enable the 'Use Drupal base URL in toolkit library' (use_base_url) setting; it should work for all Drupal configurations. For Drupal sites behind a reverse proxy, this makes sure to use only 'trusted' headers / host values, as configured in settings.php.

Please test this 'Use Drupal base URL in toolkit library' value if you have any nonstandard (e.g. multi-host multilanguage) configuration and file an issue if you see any strange behavior; it will become the non-configurable standard in the next major version of the module.