Download & Extend
Shibboleth authentication » Issues

Role assignment with Shibboleth module

Posted by fgasking on May 22, 2009 at 3:37pm
Project:Shibboleth authentication
Version:6.x-3.1
Component:Miscellaneous
Category:support request
Priority:normal
Assigned:Unassigned
Status:closed (fixed)

Issue Summary

Hi there,

We've got to a stage where logging in via Shibboleth and the test federation will create a new user and email address in Drupal.

Next step to test would be the Role assignment functionality by setting up a new rule.

For the server variable I entered "HTTP_CN"
For the Reg ex I entered ".*" to match anything
...followed by checking a particular role.

However logging in doesn't assign any role to the user. Have I therefore done anything wrong with the above?

Many thanks in advance

Login or register to post comments

Comments

#1

Posted by bajnokk on May 25, 2009 at 9:20am

Please turn on debugging and check what headers are available. Don't forget that the headers you see as administrator might differ from what you get as a logged in user.

Basically role assignment should work as you describe above, so I can't advise you anything else than trying with other header fields (eg. "HTTP_SHIB_IDENTITY_PROVIDER" or "Shib-Identity-Provider" (Shib2) is always available for any properly authenticated user) and double checking that you really don't get the permissions described by the role.

And remember that dynamic roles are not displayed on the user page as roles, because this information is not saved in the user profile (hence dynamic).

Cheers,
Kristof

#2

Posted by fgasking on May 26, 2009 at 8:18am

Ah, this might be where i'm going wrong. In a separate/different browser (IE) i'm in the User admin view, and in Firefox i'm logging in and noticing no role assigned in the user page.

I'll try setting some permissions for the role and retesting. Thanks!

#3

Posted by bmorgan on May 28, 2009 at 7:52pm

I am configuring a new Drupal site using the Shibboleth Authentication module and have had the same issue. i.e., authentication occurs but roles are not automatically assigned according to my rules. I was not already a user of this module, so I cannot say if it did or did not work in the past. But I added a line of code after line 211 of shib_auth.module which adds the roles for the user.

found this line of code (line 211):
user_access('access content', $account, TRUE);
and inserted this immediately after it:
$user = user_save($user, array('roles'=>$user->roles));

As a newbie, I don't assume this is the best way to make it work, I am just saying it works for me.

Best,
Ben

#4

Posted by bajnokk on October 19, 2009 at 11:58am
Status:active» closed (fixed)

[Sorry for not responding earlier]

We deliberately do not save the roles to the user. These roles are dynamic, they're in effect but not visible on the role administration page.

#5

Posted by scottylogan on February 13, 2010 at 2:18am

Unfortunately, some of the access control modules (content_access, node_access, nodeaccess) only appear to work if the roles are in the database and ignore the dynamic roles from shib_auth.

#6

Posted by chyatt on April 12, 2010 at 6:01pm

@bajnokk - if someone were to write this in as a configurable option in the admin ui for this module, would you accept it?