drupalauth / simplesamlphp-module-drupalauth Goto Github PK

View Code? Open in Web Editor NEW

25.0 6.0 36.0 152 KB

simpleSAMLphp module that turns Drupal site into IdP(Identity Provider)

License: Other

PHP 99.08% Shell 0.92%

simplesamlphp drupal identity-provider idp simplesamlphp-idp simplesamlphp-module

simplesamlphp-module-drupalauth's Introduction

Introduction

Drupal + SimpleSAMLphp + drupalauth = Complete SAML Identity Provider (IdP)

Users interact with Drupal to create accounts, manage accounts, and authenticate. SAML SPs interact with SimpleSAMLphp. Drupalauth ties Drupal to SimpleSAMLphp.

The drupalauth module for simpleSAMLphp makes it easy to create a SAML or Shibboleth identity provider (IdP) by enabling authentication of users against a Drupal site on the same server. This allows the administrator to leverage the user management and integration capabilities of Drupal for managing the identity life cycle.

NOTE: This is software establishes a SAML identity provider (IdP) using Drupal as the user database instead of LDAP. If you want to establish your Drupal site as a SAML service provider (SP) connected to a SAML or Shibboleth IdP, see the simplesamlphp_auth module for Drupal.

simpleSAMLphp module

This module for SimpleSAMLphp provides an Authentication Source for authenticating users against a local Drupal site. This allows the administrator to leverage the user management and integration capabilities of Drupal for managing the identity life cycle and the power of SimpleSAMLphp for identity integration. This is a simpleSAMLphp module, NOT a Drupal module. Download this module only if you want to use Drupal as Identity Provider.

Drupal modules

If you want to use Drupal as Identity Provide you should also install drupalauth4ssp that is available on Drupal.org. Please note that all issues related to Drupal functionality should be reported there.

If you want to connect your Drupal site as Service Provider to a SAML or Shibboleth IdP, use the simplesamlphp_auth module for Drupal.

Branch and version naming

Following Semantic Versioning is hard when you have multiple upstream dependencies.

So in a X.Y.Z version:

X - major SimpleSAMLphp version
Y - major Drupal version
Z - inthis module incremental version

Example: for SimpleSAMLphp version 1.15.4 with Drupal version 8.5.6 and this module version 1 we will have tag 1.8.1. Same thing for Drupal 7 will be 1.7.1.

main at the moment corresponds to 2.10.*. Branch 1.7 is respectfully for Drupal 7 (no Composer integration).

Note on Drupal configuration

Disabling discovery cache will prevent this module from functioning.

See this issue #71, specifically this comment.

Installation

Requirements

Install Drupal 10.x
Install simpleSAMLphp
Install drupalauth - composer require drupalauth/simplesamlphp-module-drupalauth
Configure SimpleSAMLphp to use something other than phpsession for session storage, e.g., SQL or memcache (See: store.type in simplesamlphp/config/config.php).
Configure the authentication source in simplesamlphp/config/authsources.php as described below.

Authenticate against Drupal but use the SimpleSAMLphp login page

The advantage of this approach is that there is no obvious connection between SimpleSAMLphp IdP and the Drupal site.

Details

Configure the authentication source by putting following code into simplesamlphp/config/authsources.php

'drupal-userpass' => array(
    'drupalauth:UserPass',

    // The filesystem path of the Drupal directory.
    'drupalroot' => '/var/www/drupal',

    // Whether to turn on debug
    'debug' => true,

    // Which attributes should be retrieved from the Drupal site.
   'attributes' => array(
       array('field_name' => 'uid', 'attribute_name' => 'uid'),
       array('field_name' => 'roles', 'attribute_name' => 'roles', 'field_property' => 'target_id'),
       array('field_name' => 'name', 'attribute_name' => 'cn'),
       array('field_name' => 'mail', 'attribute_name' => 'mail'),
       array('field_name' => 'field_first_name', 'attribute_name' => 'givenName'),
       array('field_name' => 'field_last_name', 'attribute_name' => 'sn'),
       array('field_name' => 'field_organization', 'attribute_name' => 'ou', 'field_property' => 'target_id'),
   ),
),

Leave 'attributes' empty or unset to get all available field values. Attribute names in this case would be "$field_name:$property_name".

Authenticate against Drupal but use the Drupal login page

The advantage of this approach is that the SimpleSAMLphp IdP session is tied to a Drupal session. This allows the user who is already logged into the Drupal site to then navigate to a SAML SP that uses the IdP without the need to authenticate again.

Details

Configure the authentication source by putting following code into simplesamlphp/config/authsources.php

'drupal-userpass' => array('drupalauth:External',

 // The filesystem path of the Drupal directory.
 'drupalroot' => '/var/www/drupal',

 // Whether to turn on debug
 'debug' => true,

 // the URL of the Drupal logout page
 'drupal_logout_url' => 'https://www.example.com/drupal/user/logout',

 // the URL of the Drupal login page
 'drupal_login_url' => 'https://www.example.com/drupal/user/login',

 // Which attributes should be retrieved from the Drupal site.
    'attributes' => array(
        array('field_name' => 'uid', 'attribute_name' => 'uid'),
        array('field_name' => 'roles', 'attribute_name' => 'roles', 'field_property' => 'target_id'),
        array('field_name' => 'name', 'attribute_name' => 'cn'),
        array('field_name' => 'mail', 'attribute_name' => 'mail'),
        array('field_name' => 'field_first_name', 'attribute_name' => 'givenName'),
        array('field_name' => 'field_last_name', 'attribute_name' => 'sn'),
        array('field_name' => 'field_organization', 'attribute_name' => 'ou', 'field_property' => 'target_id'),
    ),
),

simplesamlphp-module-drupalauth's People

Contributors

Stargazers

Watchers

simplesamlphp-module-drupalauth's Issues

PHP Notices and bug report

1.)
Notice: Use of undefined constant DRUPAL_ROOT - assumed 'DRUPAL_ROOT' in 
/simplesamlphp/modules/drupalauth/lib/Auth/Source/UserPass.php on line 107
To fix change line 107 from
define(DRUPAL_ROOT, $drupalAuthConfig->getDrupalroot());
to
define('DRUPAL_ROOT', $drupalAuthConfig->getDrupalroot());

2.)
Strict standards: Creating default object from empty value in 
/var/www/bloodhound/simplesamlphp/modules/drupalauth/lib/Auth/Source/UserPass.ph
p on line 119

to fix add the following below line 118
if(!is_object($user)){
  $user = new stdClass();
}

so that:

global $user;
$user->uid = 0;

becomes:

global $user;
if(!is_object($user)){
  $user = new stdClass();
}
$user->uid = 0;

Original issue reported on code.google.com by [email protected] on 19 Apr 2012 at 11:02

Avoid possible length extension attack

Implement #51 changes for Drupal 7 version.

User fields of type "List (text)" are not passed through authentication. Patch attached.

Hi, i'm using Drupal 7.22 under Linux, Drupalauth version 1.2.1_1x_7x 

I successfully configured the authentication, and custom text fields are passed 
correctly to the SP application, but turns out that if i define a field of type 
"List (text)" in Drupal the field isn't passed trough the authentication.

I've been working at the file External.php around line 266
Seem that the key 'safe_value' is not in the dictionary 
'$userAttrs[$userKey]['und'][0]' but there is a key 'value' instead.

I attach a patch for drupalauth/lib/Auth/Source/External.php .

Original issue reported on code.google.com by [email protected] on 18 Aug 2013 at 2:47

Attachments:

patch.txt

SLO Issue with IdP

What steps will reproduce the problem?
1. In the same browser (different tabs), sign into 2 SPs and the IdP. 
2. Initiate "Log Out" from the IdP (Drupal 7 Website)
3. You are only logged out from the IdP (Drupal 7 site), not the IdPs. 
4. If you initiate "Log Out" from any of the SPs, you are logged out of all 3 
SPs and the IdP (Drupal 7 site)

What is the expected output? What do you see instead?
Once logged out of the IdP (Drupal 7 site), I should be able to go to the SP 
tabs, and hit "refresh" and be redirected to a login page. That doesn't happen. 
I'm able to continue navigating throughout both SPs. 


What version of the product are you using? On what operating system?
I'm using the latest version of simpleSAMLphp on the IdP which is running a 
Drupal 7 website. 

Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 19 Mar 2014 at 8:20

drupal Federated Log In


Location:
http://idp.saml.net/simplesaml/module.php/drupalauth/resume.php?State=_6a8b4f8b6
12de6d04c64becee5c38bf94efac5ccc6%3Ahttp%3A%2F%2Fidp.saml.net%2Fsimplesaml%2Fsam
l2%2Fidp%2FSSOService.php%3Fspentityid%3Dhttp%253A%252F%252Fsp.saml.net%26cookie
Time%3D1403620133%26RelayState%3Dhttp%253A%252F%252Flocal2.saml.net%252Fsaml_log
in

Message

Notice: Undefined variable: attributes in 
sspmod_drupalauth_Auth_Source_External->getUser() (line 294 of 
D:\wamp\www\drupal-7-23-idp\simplesaml\modules\drupalauth\lib\Auth\Source\Extern
al.php).

Original issue reported on code.google.com by [email protected] on 24 Jun 2014 at 2:34

Logout redirect

What steps will reproduce the problem?
1. Use a SP
2. Call the $as->logout(array('ReturnTo' => $url)); method.

What is the expected output? What do you see instead?
Afther being logged out of saml and drupal, you would expect to be redirected 
to the $url provided in the logout() method as described in 
https://simplesamlphp.org/docs/stable/simplesamlphp-sp-api#section_5

What version of the product are you using? On what operating system?
Drupal 7, simpleSAMLphp latest.

Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 15 May 2014 at 1:38

baseurlpath not handled correctly by Drupal module

1. Configure drupalauth + drupalauth4ssp
2. In simplesaml config.php file, set up baseurlpath to any valid URL 
(http://...)

Logins do not work, because the cookie path that drupal module is trying to set 
will equal to /http://... as per following code:

  // get the baseurlpath
  $config['baseurlpath'] = '/' . $sspConfig->getValue('baseurlpath');

Original issue reported on code.google.com by [email protected] on 26 Nov 2013 at 10:27

Support for Drupal 8

Is support for Drupal 8 planned?

Ensure trusted host settings checks do not fail

When trying to validate a local IdP configuration via the default-sp authentication provided by simplesamlphp, I got the following error:

The website encountered an unexpected error. Please try again later.
Symfony\Component\HttpKernel\Exception\BadRequestHttpException: The provided host name is not valid for this server. in Drupal\Core\DrupalKernel->initializeSettings() (line 1091 of /Users/plach/Work/www/eln/web/core/lib/Drupal/Core/DrupalKernel.php).
Drupal\Core\DrupalKernel->initializeSettings(Object) (Line: 274)
Drupal\Core\DrupalKernel::createFromRequest(Object, Object, 'prod', 1, '/Users/plach/Work/www/eln/config-vendor/simplesamlphp/../../web') (Line: 31)
SimpleSAML\Module\drupalauth\DrupalHelper->bootDrupal('/Users/plach/Work/www/eln/config-vendor/simplesamlphp/../../web') (Line: 149)
SimpleSAML\Module\drupalauth\Auth\Source\External->getUser() (Line: 295)
SimpleSAML\Module\drupalauth\Auth\Source\External::resume() (Line: 12)
require('/Users/plach/Work/www/eln/vendor/simplesamlphp/simplesamlphp/modules/drupalauth/www/resume.php') (Line: 236)
SimpleSAML\Module::process() (Line: 9)

The reason turned out to be that Drupal was bootstrapped with an empty HTTP_HOST, which made trusted host settings fail.

Class not found error after user logs in

If a user is not logged at drupal, he gets a wsod after logging in before being redirected to the website.
If a user is logged in beforehand, all works just fine.

Error: Class 'Symfony\Component\HttpFoundation\ResponseHeaderBag' not found in Symfony\Component\HttpFoundation\Response->__construct() (Zeile 204 in /srv/www/htdocs/vendor/symfony/http-foundation/Response.php)

#0 /srv/www/htdocs/core/includes/errors.inc(165): Symfony\Component\HttpFoundation\Response->__construct()
#1 /srv/www/htdocs/core/includes/errors.inc(83): _drupal_log_error(Array, false)
#2 /srv/www/htdocs/core/includes/bootstrap.inc(346): _drupal_error_handler_real(2, 'Declaration of ...', '/srv/www/htdocs...', 93)
#3 /var/simplesamlphp/vendor/composer/ClassLoader.php(571): _drupal_error_handler(2, 'Declaration of ...', '/srv/www/htdocs...', 93, Array)
#4 /var/simplesamlphp/vendor/composer/ClassLoader.php(571): include()
#5 /var/simplesamlphp/vendor/composer/ClassLoader.php(428): Composer\Autoload\includeFile('/srv/www/htdocs...')
#6 [internal function]: Composer\Autoload\ClassLoader->loadClass('Symfony\Compone...')
#7 [internal function]: spl_autoload_call('Symfony\Compone...')
#8 /srv/www/htdocs/vendor/symfony/http-foundation/Response.php(15): class_exists('Symfony\Compone...')
#9 /var/simplesamlphp/vendor/composer/ClassLoader.php(571): include('/srv/www/htdocs...')
#10 /var/simplesamlphp/vendor/composer/ClassLoader.php(428): Composer\Autoload\includeFile('/srv/www/htdocs...')
#11 [internal function]: Composer\Autoload\ClassLoader->loadClass('Symfony\Compone...')
#12 /srv/www/htdocs/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/XHTML/Template.php(32): spl_autoload_call('Symfony\Compone...')
#13 /var/simplesamlphp/vendor/composer/ClassLoader.php(571): include('/srv/www/htdocs...')
#14 /var/simplesamlphp/vendor/composer/ClassLoader.php(428): Composer\Autoload\includeFile('/srv/www/htdocs...')
#15 [internal function]: Composer\Autoload\ClassLoader->loadClass('SimpleSAML\XHTM...')
#16 /srv/www/htdocs/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/Utils/HTTP.php(1356): spl_autoload_call('SimpleSAML\XHTM...')
#17 /srv/www/htdocs/vendor/simplesamlphp/saml2/src/SAML2/Compat/Ssp/Container.php(107): SimpleSAML\Utils\HTTP::submitPOSTData('https://xxx', Array)
#18 /srv/www/htdocs/vendor/simplesamlphp/saml2/src/SAML2/HTTPPost.php(54): SAML2\Compat\Ssp\Container->postRedirect('https://xxx', Array)
#19 /var/simplesamlphp/modules/saml/lib/IdP/SAML2.php(117): SAML2\HTTPPost->send(Object(SAML2\Response))
#20 [internal function]: SimpleSAML\Module\saml\IdP\SAML2::sendResponse(Array)
#21 /srv/www/htdocs/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/IdP.php(290): call_user_func(Array, Array)
#22 /srv/www/htdocs/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/IdP.php(337): SimpleSAML\IdP::postAuthProc(Array)
#23 [internal function]: SimpleSAML\IdP::postAuth(Array)
#24 /var/simplesamlphp/lib/SimpleSAML/Auth/Source.php(248): call_user_func(Array, Array)
#25 [internal function]: SimpleSAML\Auth\Source::loginCompleted(Array)
#26 /var/simplesamlphp/lib/SimpleSAML/Auth/Source.php(161): call_user_func(Array, Array)
#27 /var/simplesamlphp/modules/drupalauth/lib/Auth/Source/External.php(316): SimpleSAML\Auth\Source::completeAuth(Array)
#28 /var/simplesamlphp/modules/drupalauth/www/resume.php(12): SimpleSAML\Module\drupalauth\Auth\Source\External::resume()
#29 /var/simplesamlphp/lib/SimpleSAML/Module.php(266): require('/var/simplesaml...')
#30 /var/simplesamlphp/www/module.php(10): SimpleSAML\Module::process()
#31 {main}

PHP 8 Support

Issue
Trying to install simplesamlphp-module-drupalauth 1.8.1 via composer on PHP 8.x.
Errors:

Problem 1
    - drupalauth/simplesamlphp-module-drupalauth is locked to version 1.8.1 and an update of this package was not requested.
    - drupalauth/simplesamlphp-module-drupalauth 1.8.1 requires php ^5.6.0|^7.0 -> your php version (8.0.10) does not satisfy that requirement.
  Problem 2
    - simplesamlphp/simplesamlphp is locked to version v1.19.1 and an update of this package was not requested.
    - simplesamlphp/simplesamlphp v1.19.1 requires php >=7.1 <8.0 -> your php version (8.0.10) does not satisfy that requirement.
  Problem 3
    - drupalauth/simplesamlphp-module-drupalauth 1.8.1 requires php ^5.6.0|^7.0 -> your php version (8.0.10) does not satisfy that requirement.
    - drupal/drupalauth4ssp 1.2.0 requires drupalauth/simplesamlphp-module-drupalauth ~1.8.0 -> satisfiable by drupalauth/simplesamlphp-module-drupalauth[1.8.1].
    - drupal/drupalauth4ssp is locked to version 1.2.0 and an update of this package was not requested.

To Reproduce
On Ubuntu with PHP 8.0.10,
Add in composer.json : in require "drupalauth/simplesamlphp-module-drupalauth": "^1.8"
Run composer isntall

Information:

PHP version in use 8.0.10
Drupal core version 9.2.4
Ubuntu 20.04.2 LTS /

The Drupal Module "drupalauth4ssp" does not work with Drupal 6 (user hooks not triggered)

The Drupal Module "drupalauth4ssp" does not work with Drupal 6 (user hooks not 
triggered).
To make it work a new "hook" function drupalauth4ssp_user(...) needs to be 
added to 
simplesamlphp/modules/drupalauth/drupal_module/drupalauth4ssp/drupalauth4ssp.mod
ule .
The user hook functions in drupalauth4ssp.module are only triggered in Drupal 
7, but are not triggered in Drupal 6.
drupalauth4ssp_user(...) provides the equivalent functionality for Drupal 6. 
Since the "user" hook does not seem to be triggered in Drupal 7, it does not 
seem to be an issue to leave that function in the Drupal 7 version (in other 
words it would seem that the module with that function added will work with 
both Drupal 6 and 7).

Attached is an updated drupalauth4ssp.module and, as an alternative, a patch 
"drupalauth4ssp.module.patch" to apply the change.

Alan Barrett

Original issue reported on code.google.com by [email protected] on 4 Nov 2013 at 4:37

Attachments:

Boot drupal will broke Drupal services

PHP stack:

[18-Mar-2021 07:43:40 UTC] Drupal\Component\Plugin\Exception\PluginNotFoundException: The "field_item:language" plugin does not exist. Valid plugin IDs for Drupal\Core\TypedData\TypedDataManager are:  in /mnt/www/html/xxx/docroot/core/lib/Drupal/Component/Plugin/Discovery/DiscoveryTrait.php on line 53 #0 /mnt/www/html/xxx/docroot/core/lib/Drupal/Component/Plugin/Discovery/DiscoveryCachedTrait.php(25): Drupal\Core\Plugin\DefaultPluginManager->doGetDefinition(Array, 'field_item:lang...', true)
#1 /mnt/www/html/xxx/docroot/core/lib/Drupal/Core/TypedData/TypedDataManager.php(248): Drupal\Core\Plugin\DefaultPluginManager->getDefinition('field_item:lang...')
#2 /mnt/www/html/xxx/docroot/core/lib/Drupal/Core/TypedData/DataDefinition.php(263): Drupal\Core\TypedData\TypedDataManager->getDefaultConstraints(Object(Drupal\Core\Field\TypedData\FieldItemDataDefinition))
#3 /mnt/www/html/xxx/docroot/core/lib/Drupal/Core/TypedData/DataDefinition.php(271): Drupal\Core\TypedData\DataDefinition->getConstraints()
#4 /mnt/www/html/xxx/docroot/core/lib/Drupal/Core/Field/BaseFieldDefinition.php(374): Drupal\Core\TypedData\DataDefinition->getConstraint('ComplexData')
#5 /mnt/www/html/xxx/docroot/core/modules/user/src/Entity/User.php(466): Drupal\Core\Field\BaseFieldDefinition->addPropertyConstraints('value', Array)
#6 /mnt/www/html/xxx/docroot/core/lib/Drupal/Core/Entity/EntityFieldManager.php(214): Drupal\user\Entity\User::baseFieldDefinitions(Object(Drupal\Core\Entity\ContentEntityType))
#7 /mnt/www/html/xxx/docroot/core/lib/Drupal/Core/Entity/EntityFieldManager.php(179): Drupal\Core\Entity\EntityFieldManager->buildBaseFieldDefinitions('user')
#8 /mnt/www/html/xxx/docroot/core/lib/Drupal/Core/Entity/EntityFieldManager.php(330): Drupal\Core\Entity\EntityFieldManager->getBaseFieldDefinitions('user')
#9 /mnt/www/html/xxx/docroot/core/lib/Drupal/Core/Entity/Sql/SqlContentEntityStorage.php(1238): Drupal\Core\Entity\EntityFieldManager->getFieldDefinitions('user', 'user')
#10 /mnt/www/html/xxx/docroot/core/lib/Drupal/Core/Entity/Sql/SqlContentEntityStorage.php(524): Drupal\Core\Entity\Sql\SqlContentEntityStorage->loadFromDedicatedTables(Array, false)
#11 /mnt/www/html/xxx/docroot/core/lib/Drupal/Core/Entity/Sql/SqlContentEntityStorage.php(449): Drupal\Core\Entity\Sql\SqlContentEntityStorage->mapFromStorageRecords(Array)
#12 /mnt/www/html/xxx/docroot/core/lib/Drupal/Core/Entity/Sql/SqlContentEntityStorage.php(415): Drupal\Core\Entity\Sql\SqlContentEntityStorage->getFromStorage(Array)
#13 /mnt/www/html/xxx/docroot/core/lib/Drupal/Core/Entity/EntityStorageBase.php(300): Drupal\Core\Entity\Sql\SqlContentEntityStorage->doLoadMultiple(Array)
#14 /mnt/www/html/xxx/docroot/core/lib/Drupal/Core/Entity/EntityStorageBase.php(250): Drupal\Core\Entity\EntityStorageBase->loadMultiple(Array)
#15 /mnt/www/html/xxx/docroot/core/lib/Drupal/Core/Entity/EntityBase.php(544): Drupal\Core\Entity\EntityStorageBase->load('211')
#16 /mnt/www/html/xxx/vendor/simplesamlphp/simplesamlphp/modules/drupalauth/lib/Auth/Source/External.php(156): Drupal\Core\Entity\EntityBase::load('211')
#17 /mnt/www/html/xxx/vendor/simplesamlphp/simplesamlphp/modules/drupalauth/lib/Auth/Source/External.php(299): SimpleSAML\Module\drupalauth\Auth\Source\External->getUser()
#18 /mnt/www/html/xxx/vendor/simplesamlphp/simplesamlphp/modules/drupalauth/www/resume.php(12): SimpleSAML\Module\drupalauth\Auth\Source\External::resume()
#19 /mnt/www/html/xxx/vendor/simplesamlphp/simplesamlphp/lib/SimpleSAML/Module.php(260): require('/mnt/www/html/m...')
#20 /mnt/www/html/xxx/vendor/simplesamlphp/simplesamlphp/www/module.php(10): SimpleSAML\Module::process()

Autoloader issue with version 1.8-beta2

Drupal version 8.8.8

DrupalAuth version 1.8-beta-2
Simplesamlphp (install via composer) version: vendor/simplesamlphp/simplesamlphp (1.17.8)

simplesamlphp info:

Did a composer require drupalauth/simplesamlphp-module-drupalauth 1.8.0-beta2

The simplesamlphp session store is set to sql

  'store.type' => 'sql',

I haved added this to authsources.php

  'drupal-userpass' => array(
    'drupalauth:UserPass',

    // The filesystem path of the Drupal directory.
    'drupalroot' => '/var/www/mysite/docroot',

    // Whether to turn on debug
    'debug' => true,

    // Which attributes should be retrieved from the Drupal site.
    'attributes' => array(
      array('field_name' => 'uid', 'attribute_name' => 'uid'),
      array('field_name' => 'roles', 'attribute_name' => 'roles', 'field_property' => 'target_id'),
      array('field_name' => 'name', 'attribute_name' => 'cn'),
      array('field_name' => 'mail', 'attribute_name' => 'mail'),
      array('field_name' => 'field_first_name', 'attribute_name' => 'givenName'),
      array('field_name' => 'field_last_name', 'attribute_name' => 'sn'),
      array('field_name' => 'field_organization', 'attribute_name' => 'ou', 'field_property' => 'target_id'),
    ),
  ),

drupal-userpass shows as an authentication source:

Clicking drupal-userpass takes me to the login page, where I enter any username and password, doesn't matter as the error
occurs regardless.

The resulting error from the login form submission:

Url: http://local.mystite.com/simplesaml/module.php/core/loginuserpass.php?

Warning: get_class() expects parameter 1 to be object, bool given in Drupal\Core\DrupalKernel->initializeSettings() (line 1072 of /var/www/mysite/docroot/core/lib/Drupal/Core/DrupalKernel.php).
Drupal\Core\DrupalKernel->initializeSettings(Object) (Line: 275)
Drupal\Core\DrupalKernel::createFromRequest(Object, 1, 'prod', 1, '/var/www/mysite/docroot') (Line: 25)
SimpleSAML\Module\drupalauth\DrupalHelper->bootDrupal('/var/www/mysite/docroot') (Line: 110)
SimpleSAML\Module\drupalauth\Auth\Source\UserPass->login('admin', '*****') (Line: 285)
SimpleSAML\Module\core\Auth\UserPassBase::handleLogin('_4f3d49dc1b2dcdcb278a73439c5c91c5cf5301cb15:http://local.mysite.com/simplesaml/module.php/core/as_login.php?AuthId=drupal-userpass&amp;ReturnTo=http%3A%2F%2Flocal.mysite.com%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Ddrupal-userpass', 'admin', '*****') (Line: 83)
require('/var/www/mysite/vendor/simplesamlphp/simplesamlphp/modules/core/www/loginuserpass.php') (Line: 236)
SimpleSAML\Module::process() (Line: 9)
Warning: get_class() expects parameter 1 to be object, bool given in Drupal\Core\DrupalKernel->initializeSettings() (line 1087 of /var/www/mysite/docroot/core/lib/Drupal/Core/DrupalKernel.php).
Drupal\Core\DrupalKernel->initializeSettings(Object) (Line: 275)
Drupal\Core\DrupalKernel::createFromRequest(Object, 1, 'prod', 1, '/var/www/mysite/docroot') (Line: 25)
SimpleSAML\Module\drupalauth\DrupalHelper->bootDrupal('/var/www/mysite/docroot') (Line: 110)
SimpleSAML\Module\drupalauth\Auth\Source\UserPass->login('admin', '*****') (Line: 285)
SimpleSAML\Module\core\Auth\UserPassBase::handleLogin('_4f3d49dc1b2dcdcb278a73439c5c91c5cf5301cb15:http://local.mysite.com/simplesaml/module.php/core/as_login.php?AuthId=drupal-userpass&amp;ReturnTo=http%3A%2F%2Flocal.mysite.com%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Ddrupal-userpass', 'admin', '*****') (Line: 83)
require('/var/www/mysite/vendor/simplesamlphp/simplesamlphp/modules/core/www/loginuserpass.php') (Line: 236)
SimpleSAML\Module::process() (Line: 9)
The website encountered an unexpected error. Please try again later.
InvalidArgumentException: The class finder must implement a "findFile" method. in Symfony\Component\ClassLoader\ApcClassLoader->__construct() (line 77 of /var/www/mysite/vendor/symfony/class-loader/ApcClassLoader.php).
Symfony\Component\ClassLoader\ApcClassLoader->__construct('drupal.class_loader.8.8.8.8.8.8.fcd90ee3042737ccddb1e417b2fb9ac8a5d78b2b922aa0b94333b1be9b23c608', 1) (Line: 1095)
Drupal\Core\DrupalKernel->initializeSettings(Object) (Line: 275)
Drupal\Core\DrupalKernel::createFromRequest(Object, 1, 'prod', 1, '/var/www/mysite/docroot') (Line: 25)
SimpleSAML\Module\drupalauth\DrupalHelper->bootDrupal('/var/www/mysite/docroot') (Line: 110)
SimpleSAML\Module\drupalauth\Auth\Source\UserPass->login('admin', '*****') (Line: 285)
SimpleSAML\Module\core\Auth\UserPassBase::handleLogin('_4f3d49dc1b2dcdcb278a73439c5c91c5cf5301cb15:http://local.mysite.com/simplesaml/module.php/core/as_login.php?AuthId=drupal-userpass&amp;ReturnTo=http%3A%2F%2Flocal.mysite.com%2Fsimplesaml%2Fmodule.php%2Fcore%2Fauthenticate.php%3Fas%3Ddrupal-userpass', 'admin', '*****') (Line: 83)
require('/var/www/mysite/vendor/simplesamlphp/simplesamlphp/modules/core/www/loginuserpass.php') (Line: 236)
SimpleSAML\Module::process() (Line: 9)

Roles don't get added to the attributes array.

When using Drupal 8 as an IDP for a Drupal 7 site I couldn't get roles to appear when setting the attributes to the following:

   array('field_name' => 'roles', 'attribute_name' => 'roles'),

However when removing the attributes array from the authsources.php file so that all attributes are shown the roles do appear. However the key for the array is roles:0:target_id. Instead of uid:0:value. I couldn't figure out where that difference appears in the code.

When setting the user info and syncing for a Drupal 7 site while not listing the individual attributes in the authsources.php file the array names include :0:value. Using the longer array keys for some fields works nicely. (Like uid:0:value or name:0:value) However this doesn't work for the roles field which does additional processing based on colons.

To get the non-attributes to work I edited the getAllAttributes function within DrupalHelper.php to remove the extra long array keys.

protected function getAllAttributes($drupaluser, $forbiddenAttributes)
{
    $attributes = [];
    foreach ($drupaluser as $field_name => $field) {
        if (!in_array($field_name, $forbiddenAttributes, true)) {
            $count = $field->count();

            $field_properties = $field
                ->getFieldDefinition()
                ->getFieldStorageDefinition()
                ->getPropertyDefinitions();
            foreach ($field_properties as $property_name => $property_definition) {
                if (!$property_definition->isComputed() && !$property_definition->isInternal()) {
                    $index = 0;
                    while ($index < $count) {
                        $property_value = $field->get($index)->{$property_name};
                        if (!empty($property_value) && is_scalar($property_value)) {
                            $attributes["$field_name:$index:$property_name"][] = $property_value;
                        }
                        $index++;
                    }
                }
            }
        }
    }
    // Removes :0:value or :0:target_id from the array keys that look like this: uid:0:value
    // Since the roles are later parsed by simplesamlphp based on a colon this must be removed.
    foreach ($attributes as $k => $v) {
      // Check to make sure that the value does include the colon.
      if (strpos($k, ':') !== false) {
        // Uses explode function to divide the key into an array based on the colon.
        $new_key = explode(":", $k);
        // If there are not multiple attributes for the same key.
        if (!$attributes[$new_key[0]]){
          // Takes the value of the original key and adds it to the array with a new key name with the first string from the explode function.
          $attributes[$new_key[0]] = $v;
        }
        else {
          // If there are multiple attributes for the same key add the secondary value to the array.
          array_push($attributes[$new_key[0]], $v[0]);
        }
        // Removes the original key and value.
        unset($attributes[$k]);
      }
    }
    return $attributes;
}

Drupal's bootstrap overrides SimpleSamlPHP's exception handler

When drupal_bootstrap() is invoked, Drupal's exception handler (_drupal_exception_handler()) replaces SimpleSamlPHP's exception handler (SimpleSAML_exception_handler()).

When an invalid SSO request is received, SimpleSamlPHP throws an Exception.
This is caught by Drupal's Exception handler, which attempts to generate a Drupal error page.
The error page invokes Drupal's theme layer.
If aggregate-css or aggregate-js is turned on, Drupal attempts to build the CSS/JS caches.
The cache-generation attempts to call file_get_contents() on the relevant CSS/JS files.
The file_get_contents() calls fail, because the current working directory is the SimpleSamlPHP service, not the Drupal docroot.
This triggers multiple watchdog() calls to record the error.

The effect is multiple watchdog entries with messages such as

Warning: file_get_contents(misc/jquery.once.js): failed to open stream: No such file or directory in drupal_build_js_cache() (line 5049 of /var/www/includes/common.inc).

Stale Drupal user attribute returned

One of our clients ran into an issue where a field on the Drupal user object (mapped by drupalauth) would be edited, but the new value wouldn't be immediately reflected in the mapped attribute.

We got around this by forcing the data retrieved using user_load() to be reloaded, instead of relying on the cached value.

So https://github.com/Sanchiz/drupalauth/blob/master/lib/Auth/Source/External.php#L232 becomes

      // load the user object from Drupal
      $drupaluser = user_load($drupaluid, TRUE);

Remove deprecated way of calling assert()

Drupal simplesaml Login Problem

Made 2 Drupal installations - one as parent and other one as child.

Made 2 'SimpleSAMLphp' installations - one as Identity Provider(idp) and other 
as Service Provider(sp).

In the parent Drupal 'drupalauth4ssp' module is enabled

Also, in the 'BASIC SETUP' of the parent Drupal, idp path is given in 
'Installation directory' and 'drupalauth:External' is given in 'Authentication 
source'.

The module 'drupalauth' is enabled in the idp installation.


In the child Drupal 'simplesamlphp_auth' module is enabled.


Also, in the 'BASIC SETUP' of the child Drupal, sp path is given in 
'Installation directory' and 'default-sp' is given in 'Authentication source'.


After I login into the parent drupal, when I click 'Federated Log In' to login 
in to the child drupal I getting errror page 

Unhandled exception
An unhandled exception was thrown.
If you report this error, please also report this tracking number which makes 
it possible to locate your session in the logs available to the system 
administrator: 44ecfc19f2
Debug information

The debug information below may be of interest to the administrator / help desk:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 D:\wamp\www\simplesaml\www\module.php:180 (N/A)
Caused by: SimpleSAML_Error_Exception: User not authenticated after login page.
Backtrace:
2 D:\wamp\www\simplesaml\modules\drupalauth\lib\Auth\Source\External.php:439 
(sspmod_drupalauth_Auth_Source_External::resume)
1 D:\wamp\www\simplesaml\modules\drupalauth\www\resume.php:12 (require)
0 D:\wamp\www\simplesaml\www\module.php:135 (N/A)

Original issue reported on code.google.com by [email protected] on 19 Jun 2014 at 10:06

Accept query parameters in drupal_login_url config

Hello,
In my current project we need to set the url with query string parameter, but the actual results is wrong because this module concatenate value defined in drupal_login_url with "?ReturnTo=".$returnTo, so he generated a url with two chars "?" and broken the url.

We change this concatenation for check if has parameters in drupal_login_url url, if has we concatenate and generated correct URL.

Redirect after logout

The issue is that when passing a return to param to the logout() method, the 
param is not used.

Here is working code to make that work, the code usses snippets from the drupal 
redirect logout module.

drupalauth4ssp.module
// implements hook_user_logout()
function drupalauth4ssp_user_logout($account) {
  // Get the configuration information from SimpleSAMLphp
  $sspConfig = _drupalauth4ssp_get_simplesamlphp_config();

  // If we don't have configuration, exit without doing anything
  if (!is_array($sspConfig)) {
    // The least we can do is write something to the watchdog so someone will know what's happening.
    watchdog('drupalauth4ssp', 'Could not use drupalauth for %name, could not get the SimpleSAMLphp configuration.', array('%name' => $user->name));
    return;
  }

  // Delete the cookie
  setcookie($sspConfig['cookie_name'], "", time() - 3600 , $sspConfig['baseurlpath']);

  // if the ReturnTo URL is present, send the user to the URL
  if (isset($_GET['ReturnTo']) && $_GET['ReturnTo']) {
    $destination = &drupal_static(__FUNCTION__);
    $destination = $_GET['ReturnTo'];
  }
}

/**
 * Implements hook_drupal_goto_alter().
 */
function drupalauth4ssp_drupal_goto_alter(&$path, &$options, 
&$http_response_code) {
  $destination = &drupal_static('drupalauth4ssp_user_logout');
  if (!$path && $destination) {
    drupal_goto($destination);
  }
}

And here is the code change for External.php
    /**
     * This function is called when the user start a logout operation, for example
     * by logging out of a SP that supports single logout.
     *
     * @param array &$state  The logout state array.
     */
    public function logout(&$state) {
    assert('is_array($state)');

    if (!session_id()) {
      /* session_start not called before. Do it here. */
      session_start();
    }

    /*
     * In this example we simply remove the 'uid' from the session.
     */
    unset($_SESSION['uid']);

    // Added armor plating, just in case
    if (isset($_COOKIE[$this->cookie_name])) {
      setcookie($this->cookie_name, "", time() - 3600, $this->cookie_path);

    }

    if (isset($state['ReturnTo'])) {
      SimpleSAML_Utilities::redirect($this->drupal_logout_url, array(
        'ReturnTo' => $state['ReturnTo'],
      ));
    }
    else {
      /*
        * Redirect the user to the Drupal logout page
        */
      header('Location: ' . $this->drupal_logout_url);
    }
    die;
  }

Original issue reported on code.google.com by [email protected] on 16 May 2014 at 5:34

Conflict between simplesamlphp_auth and drupalauth4ssp

If the modules 'simplesamlphp_auth' and 'drupalauth4ssp' are enabled / 
activated simultaneously on the same Drupal 7 server then an empty page is 
displayed. When I disable one of them or deactivate simplesamlphp_auth then it 
works nicely either as an SP or and IdP. But I need both: I want to use it as a 
User Register with another Drupal server (i.e. as an IdP) while I want to allow 
people to register into this User Register also from external sources such as 
Google and Facebook (i.e. as an SP). The User Register uses two separate 
SimpleSAMLphp installations, two different MySQL databases, and different 
cookies. Of course, the Google/Facebook IdP is based on a third SimpleSAMLphp 
installation.

I have found out there are conflicting (redeclared) functions and classes in 
'vendor/autoload.php', 'vendor/composer/autoload_real.php', 
'simplesamlphp/xmlseclibs/xmlseclibs.php' and 'lib/_autoload_modules.php'.
But I have no idea what the files in the folder 'vendor' do; I have found no 
clue in the documentation - is there a way to resolve these conflicts?

Original issue reported on code.google.com by [email protected] on 21 Feb 2015 at 8:31

Drupalauth module doesn't redirect when user is already logged in

What steps will reproduce the problem?
1. Log in as a user on Drupal site
2. Goto site with SAML SP
3. Redirect to Drupal site
4. Notice that you just get the front page and don't get redirected back to SP 
site.

The attached patch fixes the issue by hooking into hook_init and if the user is 
already logged in ($user->uid != 0), performs the redirect.

Original issue reported on code.google.com by [email protected] on 22 Dec 2013 at 4:33

Attachments:

drupalauth4ssp_hook_init.patch

Drupal multi-site

How does this work in a multi-site environment when you have multiple websites 
under the same Drupal installation and you only want one of them to be 
authenticated against?

Original issue reported on code.google.com by [email protected] on 1 Apr 2011 at 1:23

Restore CI

Today I discovered that the project is no longer build with Travis CI. This came out of blue - I haven't seen any messages from Travis CI and somehow managed to miss the news about Travis CI changes.

According to https://blog.travis-ci.com/oss-announcement OSS community is still supported by Travis CI so I sent a message to [email protected] asking for clarification and service restoration. Will wait for feedback now.

Until CI is restored none of the changes will be accepted from PRs.

Hoping for understanding.

Fatal error: require_once(): Failed opening required '/var/www/mysite/docroot/includes/bootstrap.inc'

As per the install instructions, I installed the module, and added the following to authsources.php

Getting this error after adding my authsources config:

    if (!defined('DRUPAL_ROOT')) {
      define('DRUPAL_ROOT', $drupalAuthConfig->getDrupalroot());
    }

   /* Include the Drupal bootstrap */
    //require_once(DRUPAL_ROOT.'/includes/common.inc');
    require_once(DRUPAL_ROOT.'/includes/bootstrap.inc');
    require_once(DRUPAL_ROOT.'/includes/file.inc');

the line in questions here is require_once(DRUPAL_ROOT.'/includes/bootstrap.inc during drupal's bootstrapping before getting here, DRUPAL_ROOT is preset to /var/www/mysite/docroot

bootstrap.inc is in /var/www/mysite/docroot/core so it gets the "Failed opening required". I changed teh docroot in the authsources.php to be /var/www/mysite/docroot/core yet that doesnt' get applied due to the above if (!defined('DRUPAL_ROOT')) {, plus I don't want to removed that becuase overriding the DRUPAL_ROOT constant here could cause issues.

= Background =

I installed this module via composer, and then added the following to authsources.php

'drupal-userpass' => array(
'drupalauth:UserPass',

// The filesystem path of the Drupal directory.
'drupalroot' => '/var/www/mysite/docroot/core',

// Whether to turn on debug
'debug' => true,

// Which attributes should be retrieved from the Drupal site.
'attributes' => array(
  array('field_name' => 'uid', 'attribute_name' => 'uid'),
  array('field_name' => 'roles', 'attribute_name' => 'roles', 'field_property' => 'target_id'),
  array('field_name' => 'name', 'attribute_name' => 'cn'),
  array('field_name' => 'mail', 'attribute_name' => 'mail'),
  array('field_name' => 'field_first_name', 'attribute_name' => 'givenName'),
  array('field_name' => 'field_last_name', 'attribute_name' => 'sn'),
  array('field_name' => 'field_organization', 'attribute_name' => 'ou', 'field_property' => 'target_id'),
),


I originally added `/var/www/mysite/docroot` here, but when I got the above error, I added `/core` to the end of it but the same error persisted.

The Drupal\user\Entity\User class does not correspond to an entity type

name: Bug report
about: The Drupal\user\Entity\User class does not correspond to an entity type
title: ''
labels: ''
assignees: ''

Describe the bug
When trying to test configured authentication sources (or directly via /simplesaml/module.php/core/authenticate.php?as=drupal-userpass) we got:

The Drupal\user\Entity\User class does not correspond to an entity type.

To Reproduce
Considering you have a Drupal site and the library configured:

Authenticate on Drupal site;
Go to 'Test authentication sources' (/simplesaml/module.php/core/authenticate.php);
1. Click on 'drupal-userpass' authentication;
See error

Expected behavior
User should be authenticated properly.

Please complete the following information:

PHP version in use: PHP 7.4.16
Drupal core version: 8.9.16
drupalauth version: 1.8.1
SimpleSAMLphp version: 1.18.8
webserver version: Apache/2.4.38

Additional context
Full error message:

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION

Backtrace:
1 www/_include.php:17 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Drupal\Core\Entity\Exception\NoCorrespondingEntityClassException: The Drupal\user\Entity\User class does not correspond to an entity type.
Backtrace:
8 /app/docroot/core/lib/Drupal/Core/Entity/EntityTypeRepository.php:98 (Drupal\Core\Entity\EntityTypeRepository::getEntityTypeFromClass)
7 /app/docroot/core/lib/Drupal/Core/Entity/EntityBase.php:543 (Drupal\Core\Entity\EntityBase::load)
6 modules/drupalauth/lib/Auth/Source/External.php:160 (SimpleSAML\Module\drupalauth\Auth\Source\External::getUser)
5 modules/drupalauth/lib/Auth/Source/External.php:181 (SimpleSAML\Module\drupalauth\Auth\Source\External::authenticate)
4 lib/SimpleSAML/Auth/Source.php:208 (SimpleSAML\Auth\Source::initLogin)
3 lib/SimpleSAML/Auth/Simple.php:167 (SimpleSAML\Auth\Simple::login)
2 modules/core/www/authenticate.php:38 (require)
1 lib/SimpleSAML/Module.php:260 (SimpleSAML\Module::process)
0 www/module.php:10 (N/A)

Asserted as another user!

What steps will reproduce the problem?
1. Login to Drupal with acct1
2. Go to /user/acct2 (view the user profile, etc)
3. Initiate a drupalauth-based SAML login to your Service Provider
4. You will be logged in NOT as the currently authenticated session, but as the 
user you viewed.

We are using 7.x-1.0.

It looks like this is the responsible piece of code:
// implements hook_user_view()
function drupalauth4ssp_user_view($account, $view_mode, $langcode) {
  _drupalauth4ssp_exec($account);
}

Commenting this out fixed the issue for us.  

What reason could there be for setting the user cookie on user view?!

Wouldn't it be much safer just to rely on the native SESS* cookie, that already 
relates to the authenticated user session?

Original issue reported on code.google.com by [email protected] on 13 Dec 2013 at 5:47

Turn assertions on in CI

Blocks #42

Add single log-out integration

What steps will reproduce the problem?
1. Log out on Drupal site directly
2. Go to WordPress site, which has SLO support
3. Still logged into WordPress because WordPress is on it's own installation of 
SSP, not the same one as the IdP.

What is the expected output? What do you see instead?

Expected to get logged out of WP. In other words, $as->isAuthenticated() should 
fail.


What version of the product are you using? On what operating system?

Latest version. Configured and working on Drupal site.


Please provide any additional information below.

Not logging into Drupal site with SSP because it *is* the IdP. But I can set up 
an SP for it as long as this won't make it too hard for things to work for my 
existing Drupal users.

Original issue reported on code.google.com by kevin.kaland on 15 Dec 2012 at 10:14

Atttibutes + field values from profiles

Hello,

how can I pass field values from profiles in the attributes array?

Thanks.

Make cookie name required for drupalauth:External authn source

We have default cookie name set in two places: ConfigHelper https://github.com/drupalauth/simplesamlphp-module-drupalauth/blob/master/lib/ConfigHelper.php#L91 and drupalauth4ssp module https://git.drupalcode.org/project/drupalauth4ssp/-/blob/8.x-1.x/drupalauth4ssp.module#L131 , this could lead to a situation where poorly configured installation still works because of the duplicated default cookie name. Having is as require but still having default means we could remove duplicated default value declaration in Drupal module and bring misconfiguration errors to surface immediately.

Database error on multisite installation

Hello,
When visiting the authsource on the simplesaml server (authentication sources > custom source) It seems that we get an error on a multisite installation :
Drupal\Core\Database\ConnectionNotDefinedException: The specified database connection is not defined: default

No problem, if the settings.php is located in sites/default directory.

Do you have seen this problem?

Thanks.

Deprecated warnings in PHP 7

I get these warnings, running in a local docker instance on php7.2 (yes, I know it's eol). On D7, using 1.7 release. SimpleSaml 1.18.8

Deprecated: assert(): Calling assert() with a string argument is deprecated in simplesamlphp/modules/drupalauth/lib/Auth/Source/External.php on line 144

Deprecated: assert(): Calling assert() with a string argument is deprecated in simplesamlphp/modules/drupalauth/lib/Auth/Source/External.php on line 145

Deprecated: assert(): Calling assert() with a string argument is deprecated in simplesamlphp/modules/drupalauth/lib/ConfigHelper.php on line 76

Deprecated: assert(): Calling assert() with a string argument is deprecated in simplesamlphp/modules/drupalauth/lib/ConfigHelper.php on line 77

The warnings correspond to these lines in External.php:

    assert('is_array($info)');
    assert('is_array($config)');

and these lines in ConfigHelper.php:

    assert('is_array($config)');
    assert('is_string($location)');

Per the php.net documentation on assertions:

Assertions should be used as a debugging feature only.

Perhaps the best course of action is to remove these lines entirely, or replace the parameters with the actual is_array(), and is_string() expressions?

There is a serious security issue with the Drupal integration in simplesamlphp

There is a serious security issue with the Drupal integration in simplesamlphp.
The function "getUser()" which returns the attributes for the current user 
picks the Drupal User ID "uid" from a Cookie which obviously passes through the 
client machine. There is nothing stopping a suitable engineered client from 
changing the uid in the Cookie to be any user. Thus the client could acquire 
single sign on credentials for any Drupal user whatsoever by manipulating the 
Cookie so that when a single sign on transaction is started the client machine 
gets logged in to the requesting server as that other user rather that as the 
currently logged in Drupal user.

There is a very straightforward alternative which is to fetch the credentials 
for the currently logged in Drupal user in 
simplesamlphp/modules/drupalauth/lib/Auth/Source/External.php ...
Pseudo code...
global $user;
...
$drupaluid = $user->uid;
...
$drupaluser = user_load($drupaluid);

I have also added "chdir(DRUPAL_ROOT)" in two places as, at least in Drupal 6, 
Drupal generates errors if it is called with the wrong working directory. 
"chdir($a)" changes back the working directory after the call.

The code to fix the above issues is in the attached new version of 
simplesamlphp/modules/drupalauth/lib/Auth/Source/External.php and, as an 
alternative, a patch "External.php.patch" to apply the change. 

Alan Barrett

Original issue reported on code.google.com by [email protected] on 4 Nov 2013 at 4:35

Attachments:

Support multi-value fields

I noticed that only the first value of multi-value fields is used.

The attached patch adds support for multi-value fields.

Original issue reported on code.google.com by [email protected] on 10 Nov 2013 at 7:34

Attachments:

multivaluefield.patch

Drupal multi-site

How does this work in a multi-site environment when you have multiple websites 
under the same Drupal installation and you only want one of them to be 
authenticated against?

Original issue reported on code.google.com by [email protected] on 1 Apr 2011 at 1:23

Cannot pass language from SP (fix included)

What steps will reproduce the problem?
It is not possible to provide a language parameter from SP to IdP, because 
drupalauth module will always redirect user to /user path of the IdP Drupal.

What is the expected output? What do you see instead?
Login is always in default language. It would be nice to have it in the same 
language as in SP when user starts the login process.

What version of the product are you using? On what operating system?
Latest code on Drupal 7.30.

Please provide any additional information below.
Below is a fix for both simplesamlphp and drupal modules. A language url 
parameter can be passed from SP to IdP and it will be stored in session. IdP 
Drupal needs to have the language negotiation set to session with "language" as 
parameter name.

Add this to drupalauth4ssp.module

/**
 * Implements hook_init().
 */
function drupalauth4ssp_init() {
  // Store language to session from URL if set
  if (isset($_GET['language'])) {
    $_SESSION['language'] = $_GET['language'];
  }
  // Store destination to session from URL if set
  if (isset($_GET['destination'])) {
    $_SESSION['destination'] = $_GET['destination'];
  }
}

And this to External.php:

  // If language is set, then append it to URL so that Drupal can react
  if (isset($_GET['language'])) {
    $authPage = $authPage . '&language=' . $_GET['language'];
  }

Original issue reported on code.google.com by [email protected] on 21 Aug 2014 at 12:32

Reimplement this module properly

Hi,

This module does not really follow the SimpleSAMLphp guidelines on creating authentication sources, creating trouble for users who are configuring SimpleSAMLphp to use the PHP session handler.

While it is true that the code itself and the documentation mention this incompatibility, most users don't read it and have all sorts of problems that are too difficult for them to debug. This leads to frustrated users coming to our mailing list, asking for support to fix something that's not SimpleSAMLphp's fault. The worst part here is that there's really no reason for this limitation nowadays.

Here are the problems that I have identified from a first glance at the drupalauth:External class:

Drupal's bootstrapping is done with DRUPAL_BOOTSTRAP_FULL, which is probably not necessary, and has lots of side effects like overriding SimpleSAMLphp's error handler and making it extremely difficult to handle error conditions.
The __construct() method should be limited to setting up the auth source basics, and everything needed to perform authentication should be done in the authenticate() method. In particular, Drupal's environment should not be initialized in the constructor. While the footprint of code between the call to the constructor and the call to authenticate() is currently very small, this could change in the future. Given that the Drupal environment is being loaded before the call to authenticate(), it could break SimpleSAMLphp's environment and cause problems if anything else than state initialization is ever done in between.
Before initializing Drupal (and its session), SimpleSAMLphp's session should be closed to avoid the former interfere with the latter. In this case, however, the SimpleSAML_Session::cleanup() method cannot be used, since in this flow there won't be a previous session (the request is handled by SimpleSAMLphp from the beginning). This means the code at the beginning of authenticate() should fetch SimpleSAMLphp's session handler, check if it's the PHP session handler, and in that case close the session to ensure no information is lost before handing control over to Drupal:

private function initDrupal() {
        $a = getcwd();
        chdir(DRUPAL_ROOT);
        require_once(DRUPAL_ROOT.'/includes/bootstrap.inc');
        require_once(DRUPAL_ROOT.'/includes/file.inc');

        // bootstrap Drupal's session
        drupal_bootstrap(DRUPAL_BOOTSTRAP_SESSION);

        drupal_load('module', 'system');
        drupal_load('module', 'user');
        drupal_load('module', 'field');
        chdir($a);
}

public function authenticate(&$state) {
    assert('is_array($state)');

    $session = SimpleSAML_Session::getSessionFromRequest();

    $sh = SimpleSAML_SessionHandler::getSessionHandler();
    if ($sh instanceof SimpleSAML_SessionHandlerPHP) {
        // SimpleSAMLphp is using PHP sessions, close the session before we go on
        $sh->saveSession($session);
        session_write_close();
    }

    $this->initDrupal();

    $attributes = $this->getUser();

    // we are done, restore SimpleSAMLphp's session
    SimpleSAML_Session::getSessionFromRequest();

    // check if we are already authenticated
    if ($attributes !== NULL) {
        $state['Attributes'] = $attributes;
        return;
    }

    // redirect to Drupal's login page
     ...
}

I haven't looked much at the drupalauth:UserPass authentication source, but I see more or less the same applies to it.

Cannot login to D9 SP

Hi,

First of all Thanks for your work on this module.

I am trying to make an install where a Drupal instance works as IdP with another D9 instance working as SP.

Drupal version : 9.1.5
DrupalAuth version 8.x-1.1

The configuration is OK, but upon login :

i go to SP website click on Federated Login, which brings me to IDP website
i enter username & password and i get the following message :

The website encountered an unexpected error. Please try again later.
Error: Call to a member function setFormClass() on null in field_ui_entity_type_build() (line 74 of ore/modules/field_ui/field_ui.module).
field_ui_entity_type_build(Array) (Line: 129)
Drupal\Core\Entity\EntityTypeManager->findDefinitions() (Line: 175)
Drupal\Core\Plugin\DefaultPluginManager->getDefinitions() (Line: 83)
Drupal\Core\Entity\EntityTypeRepository->getEntityTypeFromClass('Drupal\user\Entity\User') (Line: 487)
Drupal\Core\Entity\EntityBase::load('2') (Line: 156)
SimpleSAML\Module\drupalauth\Auth\Source\External->getUser() (Line: 176)
SimpleSAML\Module\drupalauth\Auth\Source\External->authenticate(Array) (Line: 210)
SimpleSAML\Auth\Source->initLogin(Array, NULL, Array) (Line: 169)
SimpleSAML\Auth\Simple->login(Array) (Line: 357)
SimpleSAML\IdP->authenticate(Array) (Line: 415)
SimpleSAML\IdP->handleAuthenticationRequest(Array) (Line: 492)
SimpleSAML\Module\saml\IdP\SAML2::receiveAuthnRequest(Object) (Line: 26)

I went through the installation process + config multiple times.

Thank you in advance for your help/guidance.

Failure to return from simplesaml back to SP when already logged in

I've got the following set up:

IDP: Drupal 9
Simplesamlphp
This module 1.8.0-beta2 + patch to get working on D9 (#61)
Login using Drupal login

Wordpress + https://wordpress.org/plugins/wp-saml-auth/

I've previously got the above working with D8.8.

In this case I'm seeing the following behaviour when not already logged in.

On login form Wordpress I get taking through to simplesamlphp and then to Drupal login page. Once there everything appears to run through to completion - however I don't get returned back to wordpress and the browser halts on a white page at the following url:

simplesaml/module.php/drupalauth/resume.php?State=_[REMOVED]%3A[BASEURL]simplesaml/saml2/idp/SSOService.php%3Fspentityid%3Durn%253Aalpineclub-wp.fudev.co.nz%26RelayState%3D%252Fwp-login.php%253Faction%253Dwp-saml-auth%26cookieTime%3D1610399519

Refreshing this page returns me back to wordpress.

Debug level Logging enabled in SimpleSamlPHP config.
I don't see any errors in syslog, php fpm error log, Drupal watchdog.
The browser reports a status of 200.

Note: If I am already logged in in drupal I am returned successfully back to wordpress.

I assume this is a fatal D9 error that is being caught in Drupal and somehow not finding it's way into watchdog logs.

Support using user fields multiple times for different SAML attributes

You currently are unable to use the same user field for multiple SAML 
attributes. If you do this then only the last SAML attribute will be set. This 
occurs because of the array handling in the loop on line 239 of 
lib/auth/source/External.php.

The use case of this is passing the user email field as the email attribute and 
the username attribute for Salesforce, which wants an email for the username 
field.

Patch attached.

Original issue reported on code.google.com by [email protected] on 6 Sep 2013 at 7:15

Bootstrap Drupal from its app root

When trying to validate a local IdP configuration via the default-sp authentication provided by simplesamlphp, I got the following error:

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION

Backtrace:
1 www/_include.php:17 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Symfony\Component\DependencyInjection\Exception\InvalidArgumentException: The service file "core/core.services.yml" is not valid.
Backtrace:
12 /Users/plach/Work/www/eln/web/core/lib/Drupal/Core/DependencyInjection/YamlFileLoader.php:329 (Drupal\Core\DependencyInjection\YamlFileLoader::loadFile)
11 /Users/plach/Work/www/eln/web/core/lib/Drupal/Core/DependencyInjection/YamlFileLoader.php:63 (Drupal\Core\DependencyInjection\YamlFileLoader::load)
10 /Users/plach/Work/www/eln/web/core/lib/Drupal/Core/DrupalKernel.php:1316 (Drupal\Core\DrupalKernel::compileContainer)
9 /Users/plach/Work/www/eln/web/core/lib/Drupal/Core/DrupalKernel.php:920 (Drupal\Core\DrupalKernel::initializeContainer)
8 /Users/plach/Work/www/eln/web/core/lib/Drupal/Core/DrupalKernel.php:476 (Drupal\Core\DrupalKernel::boot)
7 modules/drupalauth/lib/DrupalHelper.php:32 (SimpleSAML\Module\drupalauth\DrupalHelper::bootDrupal)
6 modules/drupalauth/lib/Auth/Source/External.php:132 (SimpleSAML\Module\drupalauth\Auth\Source\External::getUser)
5 modules/drupalauth/lib/Auth/Source/External.php:176 (SimpleSAML\Module\drupalauth\Auth\Source\External::authenticate)
4 lib/SimpleSAML/Auth/Source.php:208 (SimpleSAML\Auth\Source::initLogin)
3 lib/SimpleSAML/Auth/Simple.php:167 (SimpleSAML\Auth\Simple::login)
2 modules/core/www/authenticate.php:38 (require)
1 lib/SimpleSAML/Module.php:254 (SimpleSAML\Module::process)
0 www/module.php:10 (N/A)

The problem turned out to be that Drupal is trying to load YAML service files using relative paths, which breaks as soon as Drupal is not bootstrapped from its app root.

Steps to reproduce

Log into your Drupal site without going through the SSP authentication
Run drush cr
Visit http://your.idp.domain/SSP-WWW-PATH/module.php/core/authenticate.php?as=drupal-userpass

(I tested those on a Drupal standard installation with only the drupalauth4ssp module enabled)

Improve project core infrustructure

By following https://bestpractices.coreinfrastructure.org/en/projects/2833 recommendations

Call to undefined function entity_load

In the simpleSAMLphp installation page, I clicked on the Authentication tab to 
test the drupalauth connection. I entered a username and password for an 
account in the site and got the following error message on a white screen:

Call to undefined function entity_load() in 
/home/sitename/public_html/modules/user/user.module on line 287

Original issue reported on code.google.com by [email protected] on 1 Oct 2012 at 7:51

Write login events to

It would be nice if this recorded login events (success or failure) to the 
Drupal watchdog. It would also be good if it updated the user's last login 
information as well.

Original issue reported on code.google.com by [email protected] on 1 Jun 2012 at 1:56

Database connection is not defined if default site is not IDP

When you login IDP, it will try to get the DB connection info from IDP site. If your IDP is not the Drupal default site (like subsite1 is IDP and subsite2 is the SP), it's still trying to get the settings(db connection info) from default site. That cause the below error if default settings db connection is empty.

The website encountered an unexpected error. Please try again later.
Drupal\Core\Database\ConnectionNotDefinedException: The specified database connection is not defined: default in Drupal\Core\Database\Database::openConnection() (line 361 of /var/www/tdk/docroot/core/lib/Drupal/Core/Database/Database.php).
Drupal\Core\Database\Database::openConnection('default', 'default') (Line: 166)
Drupal\Core\Database\Database::getConnection('default')
call_user_func_array('Drupal\Core\Database\Database::getConnection', Array) (Line: 79)
Drupal\Component\DependencyInjection\PhpArrayContainer->createService(Array, 'database') (Line: 173)
Drupal\Component\DependencyInjection\Container->get('database', 1) (Line: 265)
Drupal\Component\DependencyInjection\PhpArrayContainer->resolveServicesAndParameters(Array) (Line: 62)
Drupal\Component\DependencyInjection\PhpArrayContainer->createService(Array, 'cache.container') (Line: 173)
Drupal\Component\DependencyInjection\Container->get('cache.container') (Line: 544)
Drupal\Core\DrupalKernel->getCachedContainerDefinition() (Line: 896)
Drupal\Core\DrupalKernel->initializeContainer() (Line: 477)
Drupal\Core\DrupalKernel->boot() (Line: 33)
SimpleSAML\Module\drupalauth\DrupalHelper->bootDrupal('/var/www/tdk/docroot') (Line: 132)
SimpleSAML\Module\drupalauth\Auth\Source\External->getUser() (Line: 299)
SimpleSAML\Module\drupalauth\Auth\Source\External::resume() (Line: 12)
require('/var/www/tdk/vendor/simplesamlphp/simplesamlphp/modules/drupalauth/www/resume.php') (Line: 254)
SimpleSAML\Module::process() (Line: 10)

Crypt::hashEquals deprecated on Drupal 9

I was testing the module for a Drupal 9 website and there is an error with the Crypt::hashEquals on line 139 on the External.php class.

It turns out the Crypt::hashEquals was deprecated in favour of the hash_equals() function.
More info here: https://www.drupal.org/node/3054488

I have created a pull request that fixes this issue: #61

Roles don't get through attributes.

Roles don't get through attributes as subscribed in readme file.
['field_name' => 'roles', 'attribute_name' => 'roles']

white screen after login

What steps will reproduce the problem?
1. In SP, click 'Test authentication resources' > 'drupal-userpass'
2. Login (E.g. admin credentials)

What is the expected output? What do you see instead?

Expected output = redirect to Drupal SP page and login over there
I see = White screen at simplesaml/module.php/core/loginuserpass.php

What version of the product are you using? On what operating system?
Latest version
Ubuntu

Please provide any additional information below.
I wonder if the problem could be caused by a misconfiguration on the Idp. 
However, I'm not sure about this. Therefore I would like to know if this 
behaviour is 'normal'. Why does the drupalauth module doesn't send a redirect?

Regards,
W

Original issue reported on code.google.com by [email protected] on 5 Aug 2011 at 7:53

drupalauth / simplesamlphp-module-drupalauth Goto Github PK

simplesamlphp-module-drupalauth's Introduction

Introduction

simpleSAMLphp module

Drupal modules

Branch and version naming

Note on Drupal configuration

Installation

Requirements

Authenticate against Drupal but use the SimpleSAMLphp login page

Authenticate against Drupal but use the Drupal login page

simplesamlphp-module-drupalauth's People

Contributors

Stargazers

Watchers

Forkers

simplesamlphp-module-drupalauth's Issues

Steps to reproduce

Recommend Projects

Recommend Topics

Recommend Org