Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When logging in we are presented the standard log in Drupal page with a list of federated sources to choose from.
When only using one of them as the single source for authentication (not even local accounts), it could be useful if the Log in block went directly to the IdP instead of the Drupal page.
Comment | File | Size | Author |
---|---|---|---|
#9 | simplesamlphp_auth-direct-idp-login-2843079-9.patch | 2.52 KB | rwmanos |
| |||
#4 | interdiff-2843079-2-4.txt | 9.14 KB | brathbone |
#4 | log_in_directly_with-2843079-4.patch | 5.09 KB | brathbone |
#2 | simplesamlphp_auth-direct-idp-login-2843079-2.patch | 5.21 KB | sergiofc |
Issue fork simplesamlphp_auth-2843079
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
sergiofc CreditAttribution: sergiofc commentedI wrote a small modification where you can select this option from the Local Authentication tab, so it will replace the routing from /user/login to /saml_login.
This solves the problem where users are now returned to the page where they logged in.
I had to rebuild routing cache if a change was done to this setting because otherwise it was still routing to the old value not making this change immediately effective.
Comment #3
sergiofc CreditAttribution: sergiofc commentedComment #4
brathbone CreditAttribution: brathbone as a volunteer commentedHi there. I took a look at this. When I went to apply the patch, it would not apply when I attempted it to apply it to the latest in the 8.x-3.x branch. I went ahead and re-rolled the patch and manually applied the changes in the appropriate places.
After doing this and testing it on my setup, it worked as advertised. I applied this to a stock version of Drupal 8.3.2, with an already working instance of SimpleSAMLphp working as my SP and using a Shibboleth IDP. The /user/login page automatically redirected to my IDP.
I'm attaching my patch and interdiff. I'm still rather new to the patching and interdiff process so please let me know if anything is off. The patch name is different as per step #11 on https://www.drupal.org/node/707484.
As a new patch is involved, I'm assuming another community member needs to confirm the patch worked so leaving this as 'Needs Review.'
Comment #5
sergiofc CreditAttribution: sergiofc commentedHi brathbone,
Thanks a lot for taking the time for testing the feature. It was no surprise to me that the patch doesn't apply correctly after 6 months of publishing.
Luckily for all, it was just reapplying the changes to the new base code and not losing time on changing the code itself.
Many thanks and greetings!
PS: Let's hope this will ping the maintainers and merge the feature soon into master.
Comment #6
rwmanos CreditAttribution: rwmanos commentedWe tested the patch in #4 for 8.x-3.0-rc2 and it works very well.
It can be applied directly to 8.x-3.x-dev. Can you please merge it? It is important functionality for us.
Thank you in advance.
Comment #7
rwmanos CreditAttribution: rwmanos commentedThere is a bug in the patch that if you access a website directly at ${site}/saml_login there is a redirection loop. Firefox, for instance, shows "The page isn’t redirecting properly: Firefox has detected that the server is redirecting the request for this address in a way that will never complete."
I'm working on a version that implements the EventSubscriberInterface instead.
Comment #8
dakku CreditAttribution: dakku as a volunteer commentedThis is quite an interesting development, I look forward to testing the event subscriber implementation.
Does this completely take over the local user login? What about Drush ULI?
Comment #9
rwmanos CreditAttribution: rwmanos commentedI have a proposed solution.
Implementation
The concept is to directly redirect anonymous users that try to access the Drupal login page to the external identity provider.
The sample code is generalized as possible and considers modified user or SAML paths. For instance, someone could rename /user/login to anything using a module such as Rename Admin Paths. So matching the RouteName is more robust than matching the path. Similarly, the SAML path could be changed, although this shouldn't be as common.
Integration to simplesamlphp_auth
Initially, I implemented this redirection in a separate module. But we strongly believe that this functionality would be useful to more people and should be integrated to the simplesamlphp_auth module.
The previous proposed patches define a new configuration in order to enable or disable this functionality. During the evaluation of this integration, I realized that this functionality can be based on the 'allow.default_login' configuration. The label states: 'Allow authentication with local Drupal accounts' and the description states: 'Check this box if you want to let people log in with local Drupal accounts (without using simpleSAMLphp).'
We believe it makes sense to completely skip the Drupal login page and directly redirect anonymous users to the external identity provider when the 'allow.default_login' option is not selected. Because even if a user accesses the Drupal login page he/she will never be able to login with a Drupal account. By skipping this page we also do not allow creating users or reseting passwords. But this is not a problem since any (new) user will not be able to login with neither a new nor an old password.
Proposed patch
Initially, I was going to create a new EventSubscriber but I noticed that ./src/EventSubscriber/SimplesamlSubscriber.php has generic documentation (i.e. 'Event subscriber subscribing to KernelEvents::REQUEST'). Since this patch is another event of the same KernelEvent, we can append it to that source file. That eliminates the need to create a new service. Also, if we had to create a new service we would need to make changes to that one as well to document why they differ.
I have attached the proposed patch.
Description changes
I mentioned this redirection in the description. I also removed the text about entering the Drupal user IDs to keep it simple. This was incomplete anyway because someone could ask why you mention the user ID option and not the ROLES option.
Drush ULI
Drush ULI works only when 'allow.default_login' is enabled. This will remain the case with these changes (thanks @dakku for the question).
Future improvements
At admin/config/people/simplesamlphp_auth/local, the following options
* 'Allow SAML users to set Drupal passwords'
* 'Which ROLES should be allowed to login with local accounts?'
* 'Which users should be allowed to login with local accounts?'
depend on
* 'Allow authentication with local Drupal accounts'
So it makes sence to hide/freeze them if the that one is not selected.
Comment #10
rwmanos CreditAttribution: rwmanos commentedComment #11
rwmanos CreditAttribution: rwmanos commentedAny comment on that (dakku?)? Does someone prefer a separate menu option for this functionality?
Comment #12
dakku CreditAttribution: dakku as a volunteer commentedHi Romanos,
Thank you for the patch and summary. I havent had a chance to test out the functionality yet. But it seems like a great idea. Hopefully I will get a chance to review over the Christmas holidays. Have a fantastic time yourself.
Comment #13
timwoodIf there is anyway to allow `drush uli` to work with the solution in the latest patch, we'd love to use this. Otherwise, we cannot use the patch as provided.
Perhaps something that checks whether it's a one-time login link, and allows that?
Comment #14
rwmanos CreditAttribution: rwmanos commented@timwood the latest patch does not affect the functionality of `drush uli` at all.
What I mentioned in #9 is that actually Drush ULI works only if 'Allow authentication with local Drupal accounts' is selected. This is a module option and irrelevant to this patch.
Comment #15
rwmanos CreditAttribution: rwmanos commentedJust to mention a possible limitation of the latest patch:
When you disable the 'Allow authentication with local Drupal accounts' option, users are automatically redirected to saml when trying to log-in (this is the patch's main goal). Now, when you enable it back a cache-rebuild is required for the Drupal log-in page to reappear. Does anyone know a way to improve this? Would it be considered as a blocker bug?
Comment #16
timwood@rwmanos. I understand what was explained in #9, but we actually want to use the convenience and enforcement of all-SAML logins which this patch provides (by unchecking "Allow authentication with local Drupal accounts"), EXCEPT for when using `drush uli`. Limiting drupal user #1's login to only those with access to run `drush uli` against each environment, provides stronger security control and separation of duties. Plus there is no need to share or even ever record user #1's password.
Based on your patch, I tried to find something to allow the one-time login's to work, but I couldn't figure out what to check against. Perhaps something like:
Comment #17
rwmanos CreditAttribution: rwmanos commented@timwood thanks for elaborating! The request is more clear now.
Still though, my point is that drush uli currently does not work when "Allow authentication with local Drupal accounts" is not selected, is it? So if this changes in the future we don't even know if this patch will affect it. We need to test it first. I believe this should be handled by another issue and not try to change two different things with a single patch.
Am I missing something?
Comment #18
timwood@rwmanos
I get it now. I agree. Separate issue makes most sense for my request. Thanks!
Comment #19
timwoodAlso, I reviewed the patch from #9 and it seems to work as advertised.
Comment #20
dakku CreditAttribution: dakku as a volunteer commented@rwmanos & @timwood, thanks guys. I will also do a quick test and aim to merge it in for the next release.
Comment #22
dakku CreditAttribution: dakku as a volunteer commentedCommitted, thank you all.