forked from extern/egroupware
* Saml/Shiboleth/SmallPART: allow to use affiliation attribute to sync with Teachers group
This commit is contained in:
parent
b26bcf2978
commit
3c956d0144
@ -146,6 +146,10 @@ class Saml implements BackendSSO
|
||||
];
|
||||
}
|
||||
}
|
||||
|
||||
// check affiliation / group to add or remove
|
||||
self::checkAffiliation($username, $attrs, $GLOBALS['auto_create_acct']);
|
||||
|
||||
// return user session
|
||||
return $GLOBALS['egw']->session->create($username, null, null, false, false);
|
||||
}
|
||||
@ -530,6 +534,56 @@ class Saml implements BackendSSO
|
||||
return self::emailAddress;
|
||||
}
|
||||
|
||||
/**
|
||||
* eduPersonAffiliation attribute
|
||||
*/
|
||||
const eduPersonAffiliation = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1';
|
||||
|
||||
/**
|
||||
* Check if a group is specified depending on an affiliation attribute
|
||||
*
|
||||
* @param string $username
|
||||
* @param array $attrs
|
||||
* @param ?array& $auto_create_acct reference to $GLOBALS['auto_create_acct'] for not existing accounts
|
||||
* @param array|null $config
|
||||
* @return mixed|string|null
|
||||
*/
|
||||
private function checkAffiliation($username, array $attrs, array &$auto_create_acct=null, array $config=null)
|
||||
{
|
||||
if (!isset($config)) $config = $GLOBALS['egw_info']['server'];
|
||||
|
||||
// check if affiliation is configured and attribute returned by IdP
|
||||
$attr = $config['saml_affiliation'] === 'eduPersonAffiliation' ? self::eduPersonAffiliation : $config['saml_affiliation_oid'];
|
||||
if (!empty($attr) && !empty($attrs[$attr]) && !empty($config['saml_affiliation_group']) && !empty($config['saml_affiliation_values']) &&
|
||||
($gid = $GLOBALS['egw']->accounts->name2id($config['saml_affiliation_group'], 'account_id', 'g')))
|
||||
{
|
||||
if (!isset($auto_create_acct) && ($accout_id = $GLOBALS['egw']->accounts->name2id($username, 'account_id', 'u')))
|
||||
{
|
||||
$memberships = $GLOBALS['egw']->accounts->memberships($accout_id, true);
|
||||
}
|
||||
// check if attribute matches given values to add the extra membership
|
||||
if (array_intersect($attrs[$attr], preg_split('/, */', $config['saml_affiliation_values'])))
|
||||
{
|
||||
if (isset($auto_create_acct))
|
||||
{
|
||||
$auto_create_acct['add_group'] = $gid;
|
||||
}
|
||||
elseif ($accout_id && !in_array($gid, $memberships))
|
||||
{
|
||||
$memberships[] = $gid;
|
||||
$GLOBALS['egw']->accounts->set_memberships($memberships, $accout_id);
|
||||
}
|
||||
}
|
||||
// remove membership, if it's set
|
||||
elseif ($accout_id && ($key = array_search($gid, $memberships, false)) !== false)
|
||||
{
|
||||
unset($memberships[$key]);
|
||||
$GLOBALS['egw']->accounts->set_memberships($memberships, $accout_id);
|
||||
}
|
||||
}
|
||||
error_log(__METHOD__."('$username', ".json_encode($attrs).", ".json_encode($auto_create_acct).") attr=$attr, gid=$gid --> account_id=$accout_id, memberships=".json_encode($memberships));
|
||||
}
|
||||
|
||||
/**
|
||||
* Create simpleSAMLphp default configuration
|
||||
*
|
||||
|
@ -171,6 +171,7 @@ click <a href="index.php">here</a> to return to setup. setup de <a href="index.p
|
||||
click here setup de Hier klicken
|
||||
click here to re-run the installation tests setup de zum Wiederholen der Installationstests hier klicken
|
||||
comma separated ip-addresses or host-names, default access to setup from everywhere setup de Komma getrennte IP-Adressen oder Hostnamen, Vorgabe Zugriff von überall
|
||||
comma-separated provider names or json setup de Komma-getrennte Authentifizierungstypen oder JSON
|
||||
commercial support setup de Kommerzieller Support
|
||||
community forum setup de Community Forum
|
||||
complete path to aspell program setup de Vollständiger Pfad zum Programm ASPELL
|
||||
@ -365,6 +366,7 @@ if using cas (central authentication service): setup de Wenn Sie CAS (Central Au
|
||||
if using ldap setup de Wenn Sie LDAP verwenden
|
||||
if using ldap, do you want to manage homedirectory and loginshell attributes? setup de Wenn Sie LDAP verwenden, wollen Sie Benutzerverzeichnisse und Kommandointerpreter verwalten ?
|
||||
if using mail authentication setup de Wenn Sie Mail Authentifizierung verwenden
|
||||
if using multiple authentication providers: setup de Wenn mehrere Authentifizierungtypen verwenden werden sollen:
|
||||
if using saml 2.0 / shibboleth / simplesamlphp setup de Wenn Sie SAML 2.0 / Shibboleth / SimpleSAMLphp benutzen
|
||||
if you can only access the docroot choose <b>database</b> for where to store the file content and use same path as for temporary files. setup de Wenn Sie nur die Documentroot erreichen können, wählen Sie bei Inhalt von Dateien speichern <b>Datenbank</b> UND benutzen Sie hier den Pfad für temporäre Dateien.
|
||||
if you did not receive any errors, your applications have been setup de Wenn Sie keine Fehlermeldungen erhalten, wurden Ihre Anwendungen
|
||||
@ -560,7 +562,9 @@ restore failed setup de Wiederherstellen fehlgeschlagen
|
||||
restore finished setup de Wiederherstellen beendet
|
||||
restore started, this might take a few minutes ... setup de Wiederherstellung gestartet, das kann einige Minuten dauern ...
|
||||
restoring a backup will delete/replace all content in your database. are you sure? setup de Das Wiederherstellen einer Datensicherung löscht / ersetzt den Inhalt Ihrer Datenbank. Sind Sie sicher?
|
||||
result data to add or remove extra membership setup de Ergebnisattribute um zusätzliche Mitgliedschaften hinzu zu fügen oder zu entfernen
|
||||
result data to use as username setup de Ergebnisattribute das als Benutzername verwendet wird
|
||||
result values (comma-separated) and group-name to add or remove setup de Attributewerte (durch Komma getrennt) und Gruppenname der hinzu gefügt oder entfernt wird
|
||||
return to setup setup de Zurück zum Setup
|
||||
root dn setup de Root DN
|
||||
root dn password setup de Root DN Passwort
|
||||
|
@ -172,6 +172,7 @@ click <a href="index.php">here</a> to return to setup. setup en Click <a href="i
|
||||
click here setup en Click here
|
||||
click here to re-run the installation tests setup en Click here to re-run the installation tests
|
||||
comma separated ip-addresses or host-names, default access to setup from everywhere setup en Comma separated IP addresses or host names, default access to setup from everywhere
|
||||
comma-separated provider names or json setup en Comma-separated provider names or JSON
|
||||
commercial support setup en Commercial support
|
||||
community forum setup en Community forum
|
||||
complete path to aspell program setup en Complete path to aspell program
|
||||
@ -368,6 +369,7 @@ if using cas (central authentication service): setup en if using cas (Central Au
|
||||
if using ldap setup en If using LDAP
|
||||
if using ldap, do you want to manage homedirectory and loginshell attributes? setup en If using LDAP, do you want to manage home directory and login shell attributes?
|
||||
if using mail authentication setup en If using Mail authentication
|
||||
if using multiple authentication providers: setup en If using Multiple authentication providers:
|
||||
if using saml 2.0 / shibboleth / simplesamlphp setup en If using SAML 2.0 / Shibboleth / SimpleSAMLphp
|
||||
if you can only access the docroot choose <b>database</b> for where to store the file content and use same path as for temporary files. setup en If you can only access the docroot choose <b>Database</b> for where to store the file content AND use same path as for temporary files.
|
||||
if you did not receive any errors, your applications have been setup en If you did not receive any errors, your applications have been
|
||||
@ -564,7 +566,9 @@ restore failed setup en Restore failed!
|
||||
restore finished setup en Restore finished!
|
||||
restore started, this might take a few minutes ... setup en Restore started, this might take a few minutes ...
|
||||
restoring a backup will delete/replace all content in your database. are you sure? setup en Restoring a backup will delete/replace all content in your database. Are you sure?
|
||||
result data to add or remove extra membership setup en Result data to add or remove extra membership
|
||||
result data to use as username setup en Result data to use as username
|
||||
result values (comma-separated) and group-name to add or remove setup en Result values (comma-separated) and group-name to add or remove
|
||||
return to setup setup en Return to setup
|
||||
root dn setup en Root DN
|
||||
root dn password setup en Root DN password
|
||||
|
@ -529,6 +529,25 @@
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<tr class="row_on">
|
||||
<td>{lang_Result_data_to_add_or_remove_extra_membership}:</td>
|
||||
<td>
|
||||
<select name="newsettings[saml_affiliation]">
|
||||
<option value="eduPersonAffiliation"{selected_saml_affiliation_eduPersonAffiliation}>eduPersonAffiliation</option>
|
||||
<option value="custom"{selected_saml_affiliation_customOid}>{lang_custom_OID}</option>
|
||||
</select>
|
||||
<input name="newsettings[saml_affiliation_oid]" value="{value_saml_affiliation_oid}" placeholder="urn:oid:x.x.x.x" size="40" />
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<tr class="row_off">
|
||||
<td>{lang_Result_values_(comma-separated)_and_group-name_to_add_or_remove}:</td>
|
||||
<td>
|
||||
<input name="newsettings[saml_affiliation_values]" value="{value_saml_affiliation_values}" placeholder="staff, ..." size="30" />
|
||||
<input name="newsettings[saml_affiliation_group]" value="{value_saml_affiliation_group}" placeholder="Teachers" size="30" />
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<tr class="row_on">
|
||||
<td>{lang_Allow_SAML_logins_to_join_existing_accounts}:<br/>({lang_Requires_SAML_optional_on_login_page_and_user_to_specify_username_and_password})</td>
|
||||
<td>
|
||||
|
Loading…
Reference in New Issue
Block a user