Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Hello,
First of all: Thanks for this great module! It's really helpfull.
I have question about deleted/deactivated users in the IdP.
Scenario:
- A user logs in via the simpleSAMLphp module
- Drupal automatically creates a new account for the user
- The user changes its Drupal password
- An IdP admin deletes/deactivates user from the IdP (because the user was fired or something)
- Now the user can't log in via SAML, but it is still able to log in with its password
How can I check if the user is a SAML user (automatically created) an is still active in the IdP?
Many thanks in advance for helping.
Bryan
Comments
Comment #1
teknikqaI've used the UserProtect module to disable modifications to username, email and password fields. Only the website admin is allowed to modify these if needed.
This works wonderfully.
Comment #2
odegard CreditAttribution: odegard commentedIMO this is not a technical problem. Ideally, whoever is responsible for hiring/firing should also be responsible for telling you too. This really should be a policy, not the admins responisibility.
You can't say that lack of logins from an IdP means they are fired, I don't see how you can figure this out at all without checking with other systems with this kind of information (LDAP or something else).
Comment #3
snufkin CreditAttribution: snufkin commentedIf you don't enable local authentication for a certain user role, then they will not be able to log in once their SSO has been suspended. Does that solve your problem?
Comment #4
bkosborneSuggestion in comment #1 is the right idea. Basically you need to prevent users from modifying their password. At the time of writing, the 2.x version of this module already includes this functionality built in. You can configure it to prevent SAML authenticated users from changing their password.