Multiple Authentication sources

Overall I'm not against it, but it would require a substantial undertaking, one that I don't think would happen without someone contributing to the project. I'll change the target version to the dev for clarity.

I recently witnessed the use of a discovery service to accomplish this

This was done by adding the below code to their authsources.php file.

// The URL to the discovery service.
// Can be NULL/unset, in which case a builtin discovery service will be used.
'discoURL' => 'discovery_service_url',

While this method would almost certainly require all the incoming attributes to be named the same, I would imagine you could change the names before sending them to Drupal to ensure they matched.

The only problem in supporting multiple IDPs is that each source can have its own attributes name.
In my case it's Google and Facebook. Here is a patch which allow to set multiple comma-separated attributes, so on each user login, system will check for all possible attribute names before throw and exception.

Settings form will look like this:

This is nice way to solve that in backward-compatible way

1. +++ b/src/Form/SyncingSettingsForm.php
   @@ -30,6 +30,9 @@ class SyncingSettingsForm extends ConfigFormBase {
   +    $multi_valued_text = 'If you have more than one IDp, with different attributes name. You can put comma-separated attribute names in this field. (e.g. "facebook.someValue,google_someValue")';
   

   IMO that should be translatable as well

2. +++ b/src/Service/SimplesamlphpAuthManager.php
   @@ -156,9 +156,12 @@ class SimplesamlphpAuthManager {
   -      if (!empty($attributes[$attribute][0])) {
   -        return $attributes[$attribute][0];
   +      foreach (explode(',', $attribute) as $attr) {
   +        if (!empty($attributes[$attr][0])) {
   +          return $attributes[$attr][0];
   

   That looks backward compatible!

3. +++ b/src/Service/SimplesamlphpAuthManager.php
   @@ -156,9 +156,12 @@ class SimplesamlphpAuthManager {
   +
        if (isset($attributes)) {
   

   nitpick, could be removed on commit

I have the two idp's working and am using the discovery service to let the users select the idp they wish to authenticate with.

Anybody know how to link to each IDP individually for login? I don't want to send the users to the discovery service and going to /saml_login only works for the auth source you declare in the basic settings configuration page of the module.

I would like to be able to make a button on a certain page for each auth source I have configured.

it works for me! I have ADFS and OKTA both enabled on a single website. Thanks.

Setting to needs work to address the review in #7, wondering if we can test this somehow.

Hello!
Attaching patch with fix for review in #7
Unfortunately don't have time for tests right now. Maybe make sense to create follow up, I'll try to jump in on one of next contrib events.

#6 might need a re-roll, the tests don't seem to like it.

The method suggested in the patches seems to work but there are a couple of issues with it:

1. As @sbbutkcin mentioned in #8, this method relies on the discovery service (aka the "Select your identity provider" page) which doesn't provide a great user experience.
2. There is the possibility of attributes clashing. Example: IdPs A and B both send the name attribute but A associates the attribute with the user's actual name vs B which associates it with the user's username. With this solution, if name is set as the first username attribute it will work for B but then the incorrect one would be used on A.

I think if anything there should be a separate configuration page for each IdP, including the option to set a login link for each.

I had some issues applying the patch in #11, patch was giving the mysterious error:

patch unexpectedly ends in middle of line
patch: **** Only garbage was found in the patch input.

I hand-applied it and re-rolled, and it seemed to work, although I am not sure what the difference is -- something in line ending format ?

In any case, I think this patch looks good.

In my opinion, it's better than what we have now, we should probably merge it and then make a separate issue to address @cbanman 's comments in #13 -- how can we send the user to the correct idp ( maybe each one has it's own login url ?) and how to avoid attribute clashing ( I think we'll have to have a separate config for each idp, which is a completely different approach from this patch).

Thanks! Patch #15 works for me.
However, only one sp is allowed on the "Authentication source for this SP" configuration.
So I'm adding a suggestion on how to provide the possibility to have multiple sp working at the same time, by adding the sp as an argument in the url "/saml_login/{sp}".

We are currently running the 4.x version of SimpleSAMLphp_auth module because we are on Drupal 10 and the 4.x version currently only supports D10.

Despite 8.x-3.x-dev being targeted, patches #15 and #16 apply successfully the 4.x branch. Like @dgaspara, we need to support multiple auth sources / service providers so #16 provided functionality we wanted. However, after applying the patch in #16, we ran into issues, so I rerolled the patch and also included an interdiff.

I took a slightly different approach from #16 regarding implementation, so open to feedback!

I'm also updating the target branch :)

Updating the patch, including an interdiff between previous patch. In the previous patch, SimplesamlphpAuthManager::externalAuthenticate() was not updated to account for the dynamic $sp when multiple authsources are configured. This new patch solves for this and externalAuthenticate(), when called in the Controller with a dynamic $sp value, will send the argument to the externalAuthenticate() method which executes ::getSimpleSamlInstance() with the $sp argument.

Notably, the patch does not include tests, because, well, time constraints.

@kkohlbrenner After patching, I still found nowhere to configure multiple authsources in Drupal.