Automatic role populiation from simpleSAMLphp attributes

Are you sure the name of the attribute you are comparing is MemberOf? You could try to go through the authentication proces while using Saml Tracer to figure out the exact name of the attributes being sent to Drupal.

I'm actually running into a similar issues. I can't get it to evaluate roles correctly for names with spaces
Should in encapsulate them in ' or "? I've tried both but neither seems to work. EmployeeDepartment is an attribute I am releasing in Shibboleth.

Example:
4:EmployeeDepartment,=,'Library Department'|3:EmployeeDepartment,=,'Technology Services'

Any ideas?

Hi Cyndi -

My first recommendation would be to use the rid rather than the string 'administrator' as your first condition.

Though based on the following comments it is possible that there is an issue with attributes being passed over that contain spaces. To ensure that this is the case, if you test your authentication via the "test authentication sources" part of the simplesaml library which should be included in your installation can you confirm that the attribute names are coming across as you expect them to?

I started looking into auto role assignments functionality yesterday only and came across similar issue and while researching found this post.
Also I saw this post (link below) where it is mentioned in one of the comments about using friendly names for the attributes for role assignments. Not sure if this is valid for D8 or not. Please see if this helps.
https://www.drupal.org/node/1931394#comment-7148888

I myself can't use this friendly-name approach even if it works as I don't have control on IdP to create friendly names for attributes.
I am thinking of using hook_simplesamlphp_auth_user_roles_alter for setting up the roles. If anyone have used this approach before then please advise.

I managed to convert my urn:oid to a friendly name but the "Automatic role population from simpleSAMLphp attributes" did not work. Here's an example of the attributes I'm getting:

And here are the rules I have under the "Automatic role population from simpleSAMLphp attributes":

1:mail,=,charlie@mysp.edu|1: isMemberOf,=,CN=ATHENA.ADMIN

However, when I'm logged in, I do not the have the Drupal administrator previliage. Any suggestions? Is there any other settings I'm not aware of here?

With the lates version 8.x-3.0-rc2, has anyone gotten the Automatic role populiation from simpleSAMLphp attributes work? I've tried 1:mail and administrator:mail and none has worked. I can see the user is showing in the People page/view but the role is no role associated with it.

Okay, so I've also found that ~= works but exact does not work.

I had to use the hook to populate the role and update user profile data based on SAML attributes..here's the sample code. Hopefully it will help.

define('SAML_ATTRIBUTE_EMAIL', 'http://schemas.xmlsoap.org/....[your idp attribute url].../emailaddress');
define('SAML_ATTRIBUTE_FIRST_NAME', 'http://schemas.xmlsoap.org/......./givenname');
define('SAML_ATTRIBUTE_LAST_NAME', 'http://schemas.xmlsoap.org/......../surname');

function my_user_simplesamlphp_auth_user_attributes(\Drupal\user\UserInterface $account, $attributes) {
$email_address = $attributes[SAML_ATTRIBUTE_EMAIL][0];
$first_name = $attributes[SAML_ATTRIBUTE_FIRST_NAME][0];
$last_name = $attributes[SAML_ATTRIBUTE_LAST_NAME][0];
$account->set('field_firstname', $first_name);
$account->set('field_lastname', $last_name);

// Is the Email Address provided by the user belong to one of the given Domains.
if ($my_util_helper->matchInternalEmailAddressDomains($email_address)) {
$account->addRole('test_user');
}

return $account;
}

Hello,

I was looking into "Automatic role population from simpleSAMLphp attributes" feature today, and here are a few notes from what I can tell from stepping through the authentication request.

• This configuration setting is stored as simplesamlphp_auth.settings.role.populate
• This configuration setting is only used in the SimplesamlphpDrupalAuth service on line SimplesamlphpDrupalAuth.php:297
• This is found in getMatchingRoles method.
• The getMatchingRoles method is only invoked from roleMatchAdd method
• The roleMatchAdd method is invoked from externalLoginRegister method only when role.eval_every_time is TRUE, so only when the "Reevaluate roles every time the user logs in" is enabled.

Let me know if that is not the correct understanding. As such, I would say this feature is entirely broken b/c it does not work when auto provisioning accounts is enabled and "Reevaluate roles every time the user logs in" is disabled. I'd expect the feature " "Automatic role population from simpleSAMLphp attributes" to work when provisioning accounts the first time.

As such, I've changed the issue priority.

As darora stated in comment #12, you can achieve this with a module hook b/c in SimplesamlphpDrupalAuth::externalRegister() you will find this bit of logic that is there to allow other modules to determine if a user already exists.

// If auto-enable SAML is activated, take more action to find an existing
      // user.
      if ($this->config->get('autoenablesaml')) {
        // Allow other modules to decide if there is an existing Drupal user,
        // based on the supplied SAML atttributes.
        $attributes = $this->simplesamlAuth->getAttributes();
        foreach (\Drupal::moduleHandler()->getImplementations('simplesamlphp_auth_existing_user') as $module) {
          $return_value = \Drupal::moduleHandler()->invoke($module, 'simplesamlphp_auth_existing_user', [$attributes]);
          if ($return_value instanceof UserInterface) {
            $account = $return_value;
            if ($this->config->get('debug')) {
              $this->logger->debug('Linking authname %authname to existing Drupal user with ID %id because "Automatically enable SAML authentication for existing users upon successful login" setting is activated.', [
                '%authname' => $authname,
                '%id' => $account->id(),
              ]);
            }
            $this->externalauth->linkExistingAccount($authname, 'simplesamlphp_auth', $account);
          }
        }
      }

To conclude, the modules needs to

• Support "Automatic role population from simpleSAMLphp attributes" when provisioning accounts and sync roles is disabled
• Or not support it and update help text and documentation to indicate such, maybe point to use module hook to do it.
• Depending on the above two items, update above code snippet comment to indicate user role assignment can occur here as well as determining existing user.

Hi,

After reading the original issue, I may have highjacked this issue. I created a new issue: https://www.drupal.org/node/2894945 for the scenario I was experiencing. I'm adding that a related issue.