Commit 2641c9be authored by Robert Lyon's avatar Robert Lyon

Bug 1855560: SAML role prefix to only allow certain users login access

If the IdP only wants certain users to be able to login and have user
creation in Mahara then their roles need to have a prefix.

We check users on authentication to make sure any of their roles are
allowed and if not stop them from logging in.

behatnotneeded

Change-Id: Ibb892849d245e2580480d20ca04606db3aeb6ff4
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
parent 7850fad9
......@@ -310,6 +310,21 @@ function auth_saml_find_authinstance($saml_attributes) {
}
// now we have the default configs
if ($configs) {
// Check there is a roleprefix set to see if they are allowed to try and login
// We do this here to avoid making an institution for a user that can't login
if (isset($configs['roleprefix']->value)) {
$roleallowed = false;
foreach ($saml_attributes[$configs['role']->value] as $index => $role) {
if (preg_match('/^' . $configs['roleprefix']->value . '/', $role)) {
$roleallowed = true;
}
}
if (!$roleallowed) {
log_debug('User authorisation request from SAML failed - no roles prefixed with "' . $configs['roleprefix']->value . '"');
return false;
}
}
foreach ($saml_attributes[$configs['institutionattribute']->value] as $index => $attr) {
// does this institution use a regex match against the institution check value?
if ($configvalue = $configs['institutionregex']->value) {
......
......@@ -90,6 +90,7 @@ $string['samlfieldforstudentid'] = 'SSO field for student ID';
$string['samlfieldforavatar'] = 'SSO field for avatar icon';
$string['samlfieldforavatardescription'] = 'Supplied avatar needs to contain a base64 encoded image string';
$string['samlfieldforrole'] = 'SSO field for roles';
$string['samlfieldforroleprefix'] = 'SSO field for role prefix';
$string['samlfieldforrolesiteadmin'] = 'Role mapping for site administrator';
$string['samlfieldforrolesitestaff'] = 'Role mapping for site staff';
$string['samlfieldforroleinstadmin'] = 'Role mapping for institution administrator';
......
<!-- @license http://www.gnu.org/copyleft/gpl.html GNU GPL version 3 or later -->
<!-- @copyright For copyright information on Mahara, please see the README file distributed with this software. -->
<h3>SAML 2.0 field for role prefix</h3>
<p>If the Identity Provider (IdP) passes in role information for the
user logging in then you can set this 'prefix' field so that only
those roles starting with the prefix should be handled by Mahara.</p>
<p>This way the IdP can have different roles for different Service
Providers (SP) and if the user does not have any roles relating to
this prefix then they will not be allowed to login / create user
within Mahara.</p>
......@@ -94,6 +94,7 @@ class AuthSaml extends Auth {
$this->config['avatar'] = '';
$this->config['authloginmsg'] = '';
$this->config['role'] = '';
$this->config['roleprefix'] = '';
$this->config['rolesiteadmin'] = '';
$this->config['rolesitestaff'] = '';
$this->config['roleinstadmin'] = '';
......@@ -158,6 +159,7 @@ class AuthSaml extends Auth {
$studentid = isset($attributes[$this->config['studentidfield']][0]) ? $attributes[$this->config['studentidfield']][0] : null;
$avatar = isset($attributes[$this->config['avatar']][0]) ? $attributes[$this->config['avatar']][0] : null;
$roles = isset($attributes[$this->config['role']]) ? $attributes[$this->config['role']] : array();
$roleprefix = isset($this->config['roleprefix']) ? $this->config['roleprefix'] : null;
$rolesiteadmin = isset($this->config['rolesiteadmin']) ? array_map('trim', explode(',', $this->config['rolesiteadmin'])) : array();
$rolesitestaff = isset($this->config['rolesitestaff']) ? array_map('trim', explode(',', $this->config['rolesitestaff'])) : array();
$roleinstadmin = isset($this->config['roleinstadmin']) ? array_map('trim', explode(',', $this->config['roleinstadmin'])) : array();
......@@ -166,7 +168,19 @@ class AuthSaml extends Auth {
$create = false;
$update = false;
// Check if a user needs a certain role to be allowed to login
if (!empty($roleprefix)) {
$roleallowed = false;
foreach ($roles as $index => $role) {
if (preg_match('/^' . $roleprefix . '/', $role)) {
$roleallowed = true;
}
}
if (!$roleallowed) {
log_debug('User authorisation request from SAML failed - no roles prefixed with "' . $roleprefix . '"');
return false;
}
}
// Retrieve a $user object. If that fails, create a blank one.
try {
$isremote = $this->config['remoteuser'] ? true : false;
......@@ -445,6 +459,7 @@ class PluginAuthSaml extends PluginAuth {
'firstnamefield' => '',
'surnamefield' => '',
'role' => '',
'roleprefix' => '',
'rolesiteadmin' => '',
'rolesitestaff' => '',
'roleinstadmin' => '',
......@@ -1384,6 +1399,12 @@ EOF;
'defaultvalue' => self::$default_config['role'],
'help' => false,
),
'roleprefix' => array(
'type' => 'text',
'title' => get_string('samlfieldforroleprefix', 'auth.saml'),
'defaultvalue' => self::$default_config['roleprefix'],
'help' => true,
),
'rolesiteadmin' => array(
'type' => 'text',
'title' => get_string('samlfieldforrolesiteadmin', 'auth.saml'),
......@@ -1578,6 +1599,7 @@ EOF;
'emailfield' => $values['emailfield'],
'studentidfield' => $values['studentidfield'],
'role' => $values['role'],
'roleprefix' => trim($values['roleprefix']),
'rolesiteadmin' => $values['rolesiteadmin'],
'rolesitestaff' => $values['rolesitestaff'],
'roleinstadmin' => $values['roleinstadmin'],
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment