Hi,

I cannot for the life of me map an ADFS memberOf string to a Drupal role. Any suggestions?

Details as follows.

I have installed SimpleSAML on the server, setup Drupal as a SP and can log into Drupal using ADFS credentials.

When I look as the SimpleSAMLphp admin page:
https://example.com/simplesaml/module.php/core/authenticate.php?as=defau...

I see the memberOf strings as an attribute with this name:
urn:oid:1.2.840.113556.1.2.102

and values like this:
CN=GU_MyMGS_Parent,OU=MyMGS,OU=Common,OU=User Groups,OU=Security Groups,OU=My Grammar,DC=mgs,DC=local

The urn:oid:1.2.840.113556.1.2.102 attribute is not going into the Name, UID or Email fields. Does that mean it's not available for role mapping?

I have tried the following role mapping combinations. You can probably tell I am clutching at straws.

11:urn:oid:1.2.840.113556.1.2.102,=,"CN=GU_MyMGS_Parent,OU=MyMGS,OU=Common,OU=User Groups,OU=Security Groups,OU=My Grammar,DC=mgs,DC=local"
11:groups,=,"CN=GU_MyMGS_Parent,OU=MyMGS,OU=Common,OU=User Groups,OU=Security Groups,OU=My Grammar,DC=mgs,DC=local"
11:"urn:oid:1.2.840.113556.1.2.102",=,"CN=GU_MyMGS_Parent,OU=MyMGS,OU=Common,OU=User Groups,OU=Security Groups,OU=My Grammar,DC=mgs,DC=local"
11:urn:oid:1.2.840.113556.1.2.102,@=,CN=GU_MyMGS_Parent
11:memberof,@=,CN=GU_MyMGS_Parent

However, my users are not being created with Drupal roles.

I also tried setting SimpleSAMLphp onfig.php like this:
'class' => 'core:AttributeMap', 'oid2name'

As per this post
https://www.drupal.org/node/1931394

However, I've no idea if there is a user friendly name for urn:oid:1.2.840.113556.1.2.102 and that change didn't help so, I rolled it back.

Is what I'm trying to do even possible?

Thanks

Regards

Brett Sh

Comments

BrettSh created an issue. See original summary.

snufkin’s picture

snufkin commented

If you see the attribute on the simplesamlphp library debug page, then it should get passed onto the module as well. I'm not sure right now why this is not happening in your case, unfortunately we don't have test coverage on the 7.x branch at all :(

If you enable debugging (simplesamlphp_auth_debug), then you should see some more information in the watchdog that may be of help. We need to figure out why _simplesamlphp_auth_rolepopulation() is not picking up your attribute, to see if it is a problem with the attribute handling, or the mapping to the role.

brettsh’s picture

brettsh
he/him
Primary language English
Location Melbourne
commented

Sorted... it was my mistake :-(

I was putting carriage returns between the rules instead of the | (pipe) character. Once I fixed that, the module started assigning roles.

Thanks for your assistance.

Cheers

Brett

snufkin’s picture

snufkin commented
Status: Active » Fixed

Good news! Closing the issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.