On a site supporting external authentication from services other than SAML-based ones, a user account with an authmap record for a non-SAML provider will see that record wiped if user form is submitted with the "Enable this user to leverage SAML authentication" checkbox disabled. This is due to ExternalAuth/Authmap not supporting clearing of authmap records by both uid and provider, but just by uid.

A possible fix is being worked on at #3070335: Using multiple auth providers results in all auth data being wiped for a user; simplesamlphp_auth itself will also require an update once externalauth gets the proper support in place. The code to change is located at simplesamlphp_auth_user_form_submit() (.module file).

CommentFileSizeAuthor
#4 3123959-simplesamlphp_auth-selective-authmap-delete-on-save-4.patch473 bytesjedihe

Comments

jedihe created an issue. See original summary.

jedihe’s picture

jedihe commented
Issue summary: View changes
jedihe’s picture

jedihe commented

Patch attached. It requires patching externalauth with #3070335: Using multiple auth providers results in all auth data being wiped for a user / #4.

jedihe’s picture

jedihe commented
StatusFileSize
new 3123959-simplesamlphp_auth-selective-authmap-delete-on-save-4.patch473 bytes
ctrladel’s picture

ctrladel
Primary language English
Location North Carolina, USA
commented

Applied both patches and everything is now working as expected for me, simplesamlphp_auth is no longer removing mappings from other auth providers.

jedihe’s picture

jedihe commented

Great! thx @ctrlADel for testing and reporting.

Keeping as "Active"; we should switch to "Needs Review" once the patch in externalauth is accepted. That is, if the accepted version of that patch is compatible with the code change in #4.

kingdutch’s picture

kingdutch
he/him
Primary language English
commented
Status: Active » Needs review

Related issue is merged, lets move this along :D

albertski’s picture

albertski commented
Status: Needs review » Reviewed & tested by the community

I'm also using the CAS module and found that when editing a user that was created via CAS, it deletes the record from the authmap table. Verified and tested that this patch looks good.

czigor’s picture

czigor commented
Priority: Normal » Major

#4 works for us too.

Since this is causing data loss, raising it to major.

  • Berdir committed 31a968f6 on 4.x authored by jedihe 
    Issue #3123959 by jedihe: Using multiple auth providers results in all...
berdir’s picture

berdir
Primary language German
Location Switzerland
commented
Version: 8.x-3.x-dev » 4.x-dev
Status: Reviewed & tested by the community » Fixed

Committed to 4.x.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.