Allow one-time login links created by `drush uli` (or other means) to work when "Allow authentication with local drupal accounts" is unchecked

We use exactly this method when working with the module. We check the "Allow authentication with local Drupal accounts" and enter 1 in the "Which users should be allowed to login with local accounts?" textfield. This configuration should accommodate your use case.

Hi timwood,

rickward posted a configuration that should accommodate your use case in #2. Can you clarify why "Which users should be allowed to login with local accounts?": "1" does not work for you?

@idebr and @rickward I've the exact same use case as @timwood. I'd like user 1 to be able login with drush uli/one time login and everybody else login though SAML removing the form.

This used to work earlier this year and seems to have stopped.

The only patches I'm using are: #2900442-11: Use Drupal session manager in logout #2748731-12: Don't attempt username sync when user was already matched by username

Oh also, I tried suggestion as well and it didn't work, the one time login doesn't seem to function.

Here's the diff that I tested.

--- a/config/sync/simplesamlphp_auth.settings.yml
+++ b/config/sync/simplesamlphp_auth.settings.yml
@@ -13,10 +13,11 @@ role:
 register_users: true
 allow:
   set_drupal_pwd: false
-  default_login: false
+  default_login: true
   default_login_roles:
     administrator: administrator
     authenticated: '0'
   default_login_users: '1'
 logout_goto_url: ''
 user_register_original: admin_only

Edit: Ignore this I was having config issues, it does work but ideally the form would always redirect except for one time login

I have a slight variation on the OP's use case: due to externally defined security requirements, we need to prevent all users from logging in using a Drupal password, but allow logins via "drush uli" to facilitate logging into test accounts. The problem with the solution proposed thus far is it would allow certain users to login using a Drupal password.

We have SAML accounts, we can't create multiple SAML accounts for an individual due to policies out of our control, and we have Drupal-only accounts that developers need to be able to log in with to test functionality.

#5/#6 If I understand correctly, you would like visitors to /user (or /user/login) to be redirected to /saml_login but at the same time have certain accounts or roles be able to log in with one-time login links.

Perhaps we can accommodate this use case by splitting up the 'which users/roles can use Drupal accounts' and 'redirect all anonymous users to /saml_login instead of the Drupal login form' to separate configuration options?

We needed drush uli to work, but also wanted the user/login path redirected to our provider. It seems like there might need to be configuration for each of these things rather than lumping them together into one checkbox. Here's a temporary patch we needed to allow the drush uli logins to work for us until we can find a more permanent solution here.

Patch re-roll, this is still a temporary solution but it does work. Our use-case is also that we don't want users to access /user/login pages but we still want to login via Drush.

This is still an issue. We want all users landing at /user to be redirected to saml login. But we also want drush uli to work for local environments or test environments where saml is not hooked up.

The patch in #13 does work and seems fine for us given that we won't enable 'allow default login'. But it is certainly a hack. It would nice to just have a configuration option to make drush uli work.

Tagging on support for this.

We'd like all /user paths (/user, /user/login, /user/password) to redirect to Saml, which can be achieved by disallowing local user logins.

However for a subset of users we'd like them to be able to use one-time login links to access the site in the event of an emergency or Saml downtime, therefore need the /user/reset paths to be accessible.

All client users login using Saml, but historically the dev team haven't had SSO accounts set up. They are slowly being rolled out but this is a long process, therefore the dev team needs access via one-time login.

Additionally in the event of an emergency outage the team at the hosting provider (Acquia) need to be able to create and login to an account without going via Saml, therefore need access via one-time login link.

To get around this our current configuration is to allow local logins, and the client has configured a Cloudflare redirect that directs users from /user to the Saml login page. However they've found that adding any query string (eg /user?dfgkjhdflg) prevents that redirect from happening, and that there are extra paths they didn't realise existed!, so we'd really like to leverage the default functionality from this module.

Our ideal configuration/outcome would be:

1. When an anonymous user accesses /user, /user/password, /user/login, or any of those with a query string, they are redirected to Saml login.
2. If a non-allowed user creates a one-time login link and uses that to login, they are redirected to the Saml login.
3. If an allowed user creates a one-time login link and uses that to login, they are able to login without going via Saml.

The patch works, but is definitely a hack. A configuration option, eg "Allow use of one-time login links", would be useful - potentially with allowed roles/user IDs, the same as the default login.