You are here

Home » API reference » SAML Authentication 4.x » samlauth.module

function samlauth_user_presave in SAML Authentication 4.x

Same name and namespace in other branches
  1. 8.3 samlauth.module \samlauth_user_presave()
  2. 8.2 samlauth.module \samlauth_user_presave()

Implements hook_user_presave().

File

./samlauth.module, line 163
Allows users to authenticate against an external SAML identity provider.

Code

function samlauth_user_presave(UserInterface $account) {
  static $recursion_detection = FALSE;

  // Synchronize user attributes for a new user before saving an account
  // (instead of subscribing to the externalauth.register event), so we don't
  // need to save the new user a second time to add our SAML attribute values.
  // This also means that if attribute synchronization throws an exception, we
  // don't end up with a half baked user saved in the database.
  if (!$recursion_detection && $account
    ->isNew()) {

    // Check that we're processing a valid ACS request, by checking the user
    // name attribute in the OneLogin'Saml2\Auth object. Note we get the
    // SamlService and construct a OneLogin\Saml2\Auth object on every first
    // user save in a request, which is not ideal but not too wasteful since
    // user saves don't happen often.

    /** @var \Drupal\samlauth\SamlService $saml_service */
    $saml_service = \Drupal::service('samlauth.saml');
    if ($saml_service
      ->getAttributeByConfig('user_name_attribute')) {

      // This code assumes that the first save operation of a new user is
      // connected to SAML attributes found in a request. That's a safe bet;
      // those attributes are really only set if a SAML response was just
      // processed and validated by the ACS. No other code can come in between
      // processing that request and saving a new user. (If a
      // externalauth.authmap_alter or samlauth.user_link event feels the need
      // to independently create and save a user... we have bigger issues.) A
      // samlauth.user_sync event listener, which we will dispatch now, could
      // accidentally call user_save() again on this account... which is why we
      // implement $recursion_detection.
      $recursion_detection = TRUE;
      $saml_service
        ->synchronizeUserAttributes($account, TRUE);
    }
  }
}