function saml_sp_drupal_login__saml_authenticate in SAML Service Provider 3.x
Same name and namespace in other branches
- 8.3 modules/saml_sp_drupal_login/saml_sp_drupal_login.module \saml_sp_drupal_login__saml_authenticate()
- 8.2 modules/saml_sp_drupal_login/saml_sp_drupal_login.module \saml_sp_drupal_login__saml_authenticate()
- 7.8 modules/saml_sp_drupal_login/saml_sp_drupal_login.module \saml_sp_drupal_login__saml_authenticate()
- 7 modules/saml_sp_drupal_login/saml_sp_drupal_login.module \saml_sp_drupal_login__saml_authenticate()
- 7.2 modules/saml_sp_drupal_login/saml_sp_drupal_login.module \saml_sp_drupal_login__saml_authenticate()
- 7.3 modules/saml_sp_drupal_login/saml_sp_drupal_login.module \saml_sp_drupal_login__saml_authenticate()
- 4.x modules/saml_sp_drupal_login/saml_sp_drupal_login.module \saml_sp_drupal_login__saml_authenticate()
SAML authentication callback.
1 string reference to 'saml_sp_drupal_login__saml_authenticate'
- SamlSPDrupalLoginController::initiate in modules/
saml_sp_drupal_login/ src/ Controller/ SamlSPDrupalLoginController.php - Initiate a SAML login for the given IdP.
File
- modules/
saml_sp_drupal_login/ saml_sp_drupal_login.module, line 99 - SAML Drupal Login.
Code
function saml_sp_drupal_login__saml_authenticate($is_valid, Response $saml_response, Idp $idp) {
$redirect_url = $_POST['RelayState'] ?: Url::fromRoute('<front>')
->toString();
if (!$is_valid) {
\Drupal::messenger()
->addError(t('Could not authenticate via %idp_label', [
'%idp_label' => $idp
->label(),
]));
\Drupal::logger('saml_sp')
->warning('Could not authenticate via %idp_label', [
'%idp_label' => $idp
->label(),
]);
return new RedirectResponse($redirect_url);
}
$attributes = $saml_response
->getAttributes();
// Get the NameID value from response.
$name_id = $saml_response
->getNameId();
if (\Drupal::config('saml_sp.settings')
->get('debug')) {
_saml_sp__debug('Response NameId', $name_id);
}
// If email address is not used to identify user,
// it has to be in the attributes.
if ($idp
->getNameIdField() != 'mail') {
// Try to get email from SAML response attributes.
try {
$email = $attributes['mail'][0];
} catch (Exception $e) {
\Drupal::logger('saml_sp')
->error('No mail attribute available; please check IdP %idp_label configuration. Exception message: %exception', [
'%idp_label' => $idp
->label(),
'%exception' => $e->message,
]);
// TODO: should we give up here and not allow authentication?
}
}
else {
$email = $name_id;
}
$site_register_access = \Drupal::config('user.settings')
->get('register');
$config = \Drupal::config('saml_sp_drupal_login.config');
$success = FALSE;
if ($user = saml_sp_drupal_login_get_user($name_id, $idp
->getNameIdField(), $email)) {
// Successful login to existing user account.
$success = TRUE;
}
elseif ($site_register_access == UserInterface::REGISTER_VISITORS) {
// Successful authentication, but no user account.
// New users are allowed to register.
$language = \Drupal::languageManager()
->getCurrentLanguage()
->getId();
$user = User::create();
// Mandatory:
$user
->setPassword(random_bytes(64));
$user
->enforceIsNew();
$user
->setEmail($email);
$user
->setUsername($email);
// Optional:
$user
->set('init', $email);
$user
->set('langcode', $language);
$user
->set('preferred_langcode', $language);
$user
->set('preferred_admin_langcode', $language);
/*
$user->set('setting_name', 'setting_value');
$user->addRole('rid');
/**/
// Activate and save user account.
$user
->activate();
$result = $user
->save();
\Drupal::logger('saml_sp')
->notice('New SSO user account for %mail with UID %uid.', [
'%mail' => $email,
'%uid' => $user
->id(),
]);
$success = TRUE;
}
elseif ($config
->get('no_account_authenticated_user_role') && $config
->get('no_account_authenticated_user_account')) {
// Successful authentication, but no user account.
// The setting allows for them to get an authenticated role.
$user = User::load($config
->get('no_account_authenticated_user_account'));
if (empty($user)) {
\Drupal::messenger()
->addError(t('You have been authenticated but there is no account available for you to continue logging in. Please contact a site administrator.'));
\Drupal::logger('saml_sp')
->notice('User authenticated via %idp_label with email %mail, cannot grant access to generic account as the generic account could not be loaded.', [
'%idp_label' => $idp
->label(),
'%mail' => $email,
]);
$success = FALSE;
}
else {
\Drupal::logger('saml_sp')
->notice('User authenticated via %idp_label with email %mail, granted access to %name account.', [
'%idp_label' => $idp
->label(),
'%mail' => $email,
'%name' => $user
->getAccountName(),
]);
$success = TRUE;
}
}
else {
// Successful authentication, but no user account.
$_SESSION['authenticated_via_saml_sp'] = TRUE;
$tokens = [
'%mail' => $email,
'%idp_label' => $idp
->label(),
];
$rvaa = $site_register_access == UserInterface::REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL;
$arra = $config
->get('account_request_request_account');
if (!$rvaa && !$arra) {
// Only administrators can register new users.
$no_account_message = t('No account matching %mail has been found. Please contact a site administrator.', $tokens);
\Drupal::messenger()
->addWarning($no_account_message);
}
else {
// The user is allowed to request an account from administrators.
// Do not create an account, and redirect to the registration page.
if ($rvaa) {
// User is allowed to request by account settings.
$registration_route = 'user.register';
}
else {
// User is allowed to request by SAML SP Drupal Login settings.
$registration_route = 'saml_sp_drupal_login.register';
}
\Drupal::messenger()
->addWarning(t('This site requires you to request an account.'));
$redirect_url = Url::fromRoute($registration_route, [], [
'query' => [
'email' => $email,
],
])
->toString();
}
\Drupal::logger('saml_sp')
->warning("User attempting to login through %idp_label with %mail which doesn't match any accounts.", $tokens);
}
if ($success) {
// @see user_login_name_validate().
if ($user
->isBlocked() || !$user
->isActive()) {
\Drupal::messenger()
->addError(t('The username %name has not been activated or is blocked.', [
'%name' => $user
->getAccountName(),
]));
if (\Drupal::config('saml_sp.settings')
->get('debug')) {
_saml_sp__debug('Account', $this);
_saml_sp__debug('Response NameId', $name_id);
}
}
else {
// TODO: this might not be the right place for this. It doesn't do
// anything right now anyway.
saml_sp_drupal_login_update_user_attributes($user, $email, $attributes);
\Drupal::logger('saml_sp')
->notice('User %name logging in through SAML via %idp_name. with NameID %mail', [
'%name' => $user
->getAccountName(),
'%idp_name' => $idp
->label(),
'%mail' => $email,
]);
// Store the fact that the user logged in via the SAML SP module.
$_SESSION['authenticated_via_saml_sp'] = TRUE;
user_login_finalize($user);
}
}
return new RedirectResponse($redirect_url);
}