Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
When a new user is provisioned, the account name and email are synced with the SAML attributes. However, our IdP does NOT return a mail attribute, so an exception is thrown during the sync:
// SimplesamlphpDrupalAuth.php
public function getAttribute($attribute) { <-- $attribute is blank
$attributes = $this->getAttributes();
if (isset($attributes)) {
if (!empty($attributes[$attribute][0])) { <-- Evaluates to FALSE
return $attributes[$attribute][0];
}
}
throw new SimplesamlphpAttributeException(sprintf('Error in simplesamlphp_auth.module: no valid "%s" attribute set.', $attribute));
}
Proposed resolution
Allow other modules to handle the sync. I use an event subscriber to listen to the ExternalAuthEvents::REGISTER event, at which point I can make an external API call to retrieve the user's email (and name, age, etc.). A simple checkbox on the configuration page would allow an admin to override the default behavior.
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | 2990291-2.patch | 2.78 KB | zerbash |
Comments
Comment #2
zerbash commentedComment #3
lpeabody commentedI ran into this and I solved it by simply blanking out the SimpleSAMLphp attribute to be used as email address for the user value in the User info and syncing form.