From 1b3e04901752ba09c018d84eb722e64410e4180d Mon Sep 17 00:00:00 2001 From: James Zhu Date: Thu, 5 Oct 2023 17:04:10 +1300 Subject: [PATCH] Added comments to code and updated docs --- docs/en/developer.md | 24 ++++++++++++++++++++++++ src/Control/SAMLController.php | 2 -- src/Helpers/SAMLUserGroupMapper.php | 15 +++++++++++++-- 3 files changed, 37 insertions(+), 4 deletions(-) diff --git a/docs/en/developer.md b/docs/en/developer.md index 0db56fd..5888a52 100644 --- a/docs/en/developer.md +++ b/docs/en/developer.md @@ -151,6 +151,22 @@ SilverStripe\SAML\Extensions\SAMLMemberExtension: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Email' ``` +### User groups mapping + +By default, any new users logged in using SSO will not have any groups assigned to them. If you want them to have want to bring over the groups from the Provider via claims field, you could enable it via + +```yml +SilverStripe\SAML\Services\SAMLConfiguration: + map_user_group: true +``` + +and specify the claims field to map + +```yml +SilverStripe\SAML\Helpers\SAMLUserGroupMapper: + group_claims_field: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups' +``` + ### GUID Transformation If you prefer to receive the GUID in lower-case or upper-case format you can use the @@ -392,6 +408,14 @@ SilverStripe\SAML\Services\SAMLConfiguration: this configuration allows you to add two GET query parameters to endpoint request URL: `https://your-idp.com/singleSignOnService/saml2?someGetQueryParameter=value&AnotherParameter=differentValue&SAMLRequest=XYZ....` +### Automatically redirect after authentication +If the user has CMS permission and you want to redirect to the CMS after successful authentication, you can set the default login destination like this: + +```yaml +SilverStripe\Security\Security: + default_login_dest: 'admin' +``` + ## Resources - [ADFS Deep-Dive: Onboarding Applications](http://blogs.technet.com/b/askpfeplat/archive/2015/03/02/adfs-deep-dive-onboarding-applications.aspx) diff --git a/src/Control/SAMLController.php b/src/Control/SAMLController.php index 8a43bf6..c4e617b 100644 --- a/src/Control/SAMLController.php +++ b/src/Control/SAMLController.php @@ -5,7 +5,6 @@ use Exception; use function gmmktime; - use function uniqid; use OneLogin\Saml2\Auth; use OneLogin\Saml2\Constants; @@ -25,7 +24,6 @@ use SilverStripe\SAML\Model\SAMLResponse; use SilverStripe\SAML\Services\SAMLConfiguration; use SilverStripe\Security\IdentityStore; - use SilverStripe\Security\Member; use SilverStripe\Security\Security; diff --git a/src/Helpers/SAMLUserGroupMapper.php b/src/Helpers/SAMLUserGroupMapper.php index 110e010..e6dc4fe 100644 --- a/src/Helpers/SAMLUserGroupMapper.php +++ b/src/Helpers/SAMLUserGroupMapper.php @@ -26,6 +26,13 @@ class SAMLUserGroupMapper 'SAMLConfService' => '%$' . SAMLConfiguration::class, ]; + /** + * Check if group claims field is set and assigns member to group + * + * @param [] $attributes + * @param Member $member + * @return Member + */ public function map($attributes, $member): Member { $groups = $this->config()->get('group_claims_field'); @@ -39,18 +46,22 @@ public function map($attributes, $member): Member foreach ($groupTitles as $groupTitle) { // Get Group object by Title - // TODO: Title for Group should be unique $group = DataObject::get_one(Group::class, [ '"Group"."Title"' => $groupTitle ]); + // Create group if it doesn't exist yet if (!$group) { $group = new Group(); $group->Title = $groupTitle; $group->write(); } - $member->write(); + // Add group to user and make sure user has been created + if (!$member->exists()) { + $member->write(); + } + $member->Groups()->add($group); }