Hi,
I'm running an Intranet for a department in a large organization. I need to deny access to the site for anyone who doesn't already have an account, which means I want to deny account creation and only allow people who already have an account to login. I made some changes to shib_auth.module around line 140:

$message = t('No account exists for you in the system...');
drupal_set_message($message, "error");
watchdog('shib_auth', $message, WATCHDOG_WARNING);
/*			  
user_external_login_register($uname, "shib_auth");
$_SESSION['authentication'] = 'shib_auth';
$user = user_save($user, array('mail' => $umail_single));
*/

It works pretty well, although it displays my message twice for some reason. I just wanted to share this solution and see if there is a better known way to do this.

CommentFileSizeAuthor
#15 disable-profiles-729388-15.patch2.87 KBzerolab
#8 disable-profiles-729388-8.patch1.56 KBcpliakas

Comments

bajnokk’s picture

bajnokk commented
Version: 6.x-3.3 » 6.x-4.x-dev
Category: support » feature
bajnokk’s picture

bajnokk commented

A more general approach would be to deny user creation based on the received attributes.
This feature is targeted for 4.1.

bajnokk’s picture

bajnokk commented
Assigned: Unassigned » bajnokk
gp177’s picture

gp177 commented

My organization is looking for the same functionality and does not have attributes available to Shibboleth on which to deny from.

It would helpful if the module respected the Public registrations setting within user settings.

I'd be willing to offer patches/contribution.

shafter’s picture

shafter commented

A simple solution would be to have an option to create blocked users. It is similar to the built-in drupal user registration model.

bajnokk’s picture

bajnokk commented

OK, I've reconsidered the use case and I think it'd be a cool feature. If the 'big auto-user switch' is off, then instead of creating any user, an error message should be thrown. (Also the message should be configurable.) Forget my suggestion of denying based on attributes.

Because the login/registration flow is very complex now, there might be pitfalls during the implementation, so I'm still not sure if we can make it in 4.0. Anyway, I think, it's a good idea, so we're gonna try it.

electrickite’s picture

electrickite commented

Just a quick thought/request: Our organization would find this functionality very helpful. However, contrary to #4 above, I would rather the module not be tied to the Public registration settings within user settings and instead have its own configuration point.

On most of our sites we want to prevent anonymous users from creating accounts, but we may want all users who have an account with our Shibboleth identity provider to be able to authenticate. There are other situations where we want to disable anonymous account creation and only allow login from certain Shibboleth users.

cpliakas’s picture

cpliakas commented
Status: Active » Needs review
StatusFileSize
new disable-profiles-729388-8.patch1.56 KB

I think there are a lot of different use cases here, many of which require the automatic account creation functionality to be turned off. After that, custom / contributed code can be implemented to fill in the gaps. The attached patch was created by hernani which adds a setting to disable automatic account creation.

An example of the custom code that could be implemented utilizing this patch is the Shibboleth Auth Provisioning module which provides a UI to add a whitelist of Shibboleth users. The specific use case this achieves is that a subset of Shibboleth users should have access to the site, and non-technical people should have the ability to control that list. Therefore adding metadata is not an option.

Thanks,
Chris

gp177’s picture

gp177 commented

Is there any update to this request?

Do you need any additional work done in addition to hernani's code? Is there any testing we can do to help move this along?

cpliakas’s picture

cpliakas commented

gp177,

Yes, it needs someone from the community to test and verify. If it works as expected for you, then mark the issue as "reviewed & tested by the community", then it is up to the maintainers whether to accept the patch, flag it as needing more work, or simply ignoring it.

Thanks,
Chris

gp177’s picture

gp177 commented
Version: 6.x-4.x-dev » 7.x-4.0
Status: Needs review » Reviewed & tested by the community

I have tested and verified the patch works with 7.x-4.0.

jelo’s picture

jelo commented

This issue covers several features, one of which is to deny user creation (#2) based on a Shib attribute. I have created a new issue that is specific to access control based on Shib attributes at http://drupal.org/node/1724166 to not mix it with this patch.

gp177’s picture

gp177 commented
mps38’s picture

mps38 commented

Hi, after patching and checking the checkbox "Disable account registration", Shib will authenticate and not create a new Drupal user as expected. However, if there was an existing Drupal user of the same username, they will not appear as logged in, where they did before the patch. I am in Drupal 6.25. I'd be happy to provide any more additional info as needed. Thanks-

zerolab’s picture

zerolab commented
Issue summary: View changes
StatusFileSize
new disable-profiles-729388-15.patch2.87 KB

Hi,

Could not reproduce the issue reported by mps38. But the patch reported in #8, with the attached modification that allows redirecting the user to a specified URL runs on a large college website.

This is a gentle nudge for this patch to be commited.

Cheers,
Dan

zerolab’s picture

zerolab commented
Version: 7.x-4.0 » 7.x-4.x-dev
Status: Reviewed & tested by the community » Needs review
partyka’s picture

partyka commented

zerolab: mps38 said he was using 6.25, but this issue is marked as 7.x-4.x, perhaps that could be why it wasn't reproducible.