Added comments to code and updated docs

silverstripe · Oct 5, 2023 · 1b3e049 · 1b3e049
1 parent f73273b
commit 1b3e049
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 4 deletions.
diff --git a/docs/en/developer.md b/docs/en/developer.md
@@ -151,6 +151,22 @@ SilverStripe\SAML\Extensions\SAMLMemberExtension:
     'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Email'
 ```
 
+### User groups mapping
+
+By default, any new users logged in using SSO will not have any groups assigned to them. If you want them to have want to bring over the groups from the Provider via claims field, you could enable it via
+
+```yml
+SilverStripe\SAML\Services\SAMLConfiguration:
+  map_user_group: true
+```
+
+and specify the claims field to map
+
+```yml
+SilverStripe\SAML\Helpers\SAMLUserGroupMapper:
+  group_claims_field: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups'
+```
+
 ### GUID Transformation
 
 If you prefer to receive the GUID in lower-case or upper-case format you can use the
@@ -392,6 +408,14 @@ SilverStripe\SAML\Services\SAMLConfiguration:
 this configuration allows you to add two GET query parameters to endpoint request URL:
 `https://your-idp.com/singleSignOnService/saml2?someGetQueryParameter=value&AnotherParameter=differentValue&SAMLRequest=XYZ....`
 
+### Automatically redirect after authentication
+If the user has CMS permission and you want to redirect to the CMS after successful authentication, you can set the default login destination like this:
+
+```yaml
+SilverStripe\Security\Security:
+  default_login_dest: 'admin'
+```
+
 ## Resources
 
  - [ADFS Deep-Dive: Onboarding Applications](http://blogs.technet.com/b/askpfeplat/archive/2015/03/02/adfs-deep-dive-onboarding-applications.aspx)
diff --git a/src/Control/SAMLController.php b/src/Control/SAMLController.php
@@ -5,7 +5,6 @@
 use Exception;
 
 use function gmmktime;
-
 use function uniqid;
 use OneLogin\Saml2\Auth;
 use OneLogin\Saml2\Constants;
@@ -25,7 +24,6 @@
 use SilverStripe\SAML\Model\SAMLResponse;
 use SilverStripe\SAML\Services\SAMLConfiguration;
 use SilverStripe\Security\IdentityStore;
-
 use SilverStripe\Security\Member;
 use SilverStripe\Security\Security;
 

diff --git a/src/Helpers/SAMLUserGroupMapper.php b/src/Helpers/SAMLUserGroupMapper.php
@@ -26,6 +26,13 @@ class SAMLUserGroupMapper
         'SAMLConfService' => '%$' . SAMLConfiguration::class,
     ];
 
+    /**
+     * Check if group claims field is set and assigns member to group
+     *
+     * @param [] $attributes
+     * @param Member $member
+     * @return Member
+     */
     public function map($attributes, $member): Member
     {
         $groups = $this->config()->get('group_claims_field');
@@ -39,18 +46,22 @@ public function map($attributes, $member): Member
 
         foreach ($groupTitles as $groupTitle) {
             // Get Group object by Title
-            // TODO: Title for Group should be unique
             $group = DataObject::get_one(Group::class, [
                 '"Group"."Title"' => $groupTitle
             ]);
 
+            // Create group if it doesn't exist yet
             if (!$group) {
                 $group = new Group();
                 $group->Title = $groupTitle;
                 $group->write();
             }
 
-            $member->write();
+            // Add group to user and make sure user has been created
+            if (!$member->exists()) {
+                $member->write();
+            }
+
             $member->Groups()->add($group);
         }