Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Reevaluate roles every time the user logs in: FALSE
Register users: FALSE
When users are added, hook_user_insert unconditionally forces the name and e-mail address of the user currently signed in through SSO onto the newly created user. This is problematic when an admin is adding a new user through /admin/people/create: in this case, the SSO user != the user being created.
| Comment | File | Size | Author |
|---|---|---|---|
| #6 | simplesamlphp_auth-fixnewdrupalusers-1824194-6.patch | 674 bytes | jeffam |
| #5 | simplesamlphp_auth-fixnewdrupalusers-1824194-5.patch | 3.28 KB | kenmc |
Comments
Comment #1
colanIt's worse than that. If you've already got a user with that name, you get an integrity contraint violation:
PDOException: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '' for key 'name': UPDATE {users} SET name=:db_update_placeholder_0 WHERE (uid = :db_condition_placeholder_0) ; Array ( [:db_update_placeholder_0] => [:db_condition_placeholder_0] => 1599 ) in simplesamlphp_auth_user_insert() (line 378 of /path/to/drupal/sites/all/modules/simplesamlphp_auth/simplesamlphp_auth.module).Comment #2
colanLogging against an actual release, now that there is one.
Comment #3
colanSorry, I mischaracterized the issue here. I think what the reporter is talking about would be handled by #1280930: Create authmap entries for pre-existing Drupal users, so marking this one as a duplicate.
There error I found above is really #1912262: Empty string in username attribute causes DB integrity constraint violation.
Comment #4
kenmc commentedNo, I don't think #1280930: Create authmap entries for pre-existing Drupal users has anything to do with it. Allow me to describe what happens:
- I sign into my website with my SSO account, which is authmapped to an administrator account on Drupal.
- I go to create a new user through /admin/people/create, fill out the form for the new user information, and click the submit button.
- The new account that is created has MY name as the username and MY e-mail address, not the values I filled out on the form. All of the other values seem fine, though.
From what I can tell, this is a problem in simplesamlphp_auth_user_insert(): it seems to be considerate of the logic for the code that automatically creates Drupal accounts, but not of when I am signed in through SSO and creating a different user account.
Comment #5
kenmc commentedThe following patch adds a new test to make sure the current SSO user account matches the Drupal account being created before it updates any of the user information.
Comment #6
jeffamAbove patch didn't work for me, but sure pointed me in the right direction. Here's what worked in my tests. I found that checking $account->init worked better than $account->name since the module allows the username to be generated from any saml attribute.
Comment #7
grasmash commentedI've created a 7.x-3.x branch of this module with significant refactoring. It includes patches from the following issues:
#2190487: User_login form should have a federated link
#2213283: When simplesamlphp_auth_activate is 0 watchdog messages flood the syslog/dblog
#2221679: Destruction of session causes fatal error
#2020009: Session cookie being set, breaking through Varnish cache.
#1824194: hook_user_insert issues when user adding a new user is logged in via sso
#2205901: Allow SimpleSAML authentication on a per-user basis
https://github.com/grasmash/simplesamlphp_auth/tree/7.x-3.x
Given that so much work has been done (and it will not cleanly merge with 7.x-2.x) I propose that a new 7.x-3.x-dev branch be added to the module.
Comment #8
colan@grasmash: Once folks RTBC your work, I'll happily merge all of it in as 3.x here. Thanks for refactoring!
Comment #9
cthos commentedLooks pretty good to me. Moving this over to RTBC, since no one else has chimed in yet.
I especially like that the setup code is no longer in hook_init.
Comment #10
colanThanks for the review. I'll get that branch set up!
Comment #11
eiriksmPatch in #6 looks great!
Used on a 1.2 version of the module. Of course, the patch does not apply, but it is pretty obvious where you are supposed to put the changed line :)
Comment #12
snufkin commentedFixed in 3.x
Comment #13
colan@snufkin: Thanks for bringing things up-to-speed. I haven't had a chance lately.
Comment #15
bkosborneFYI this bug exists in 2.x and there's a patch that fixes it here: #2365079: SimpleSAML authenticated admin users cannot create other users