Login via assertion attribute that isn't email address (NameID Override)

[alexmillman23]

I'm a bit new to SAML, so apologies if my questions are framed in a noob way.

We would like to have the login to Craft determined by a custom field that is being passed by the IdP. Inside OneLogin, a user's email address may change, so we want to use an employeeId field to find a user connection. We can use that attribute assertion to update a user's custom field, but not so sure about using it as the auth criteria.

[dsmrt]

👋 @alexmillman23 ,

There is a setting under the IdP configuration (see screenshot, it's near where you map the fields) where you can use another attribute other than the NameID that comes through.

[dsmrt]

Also, I wanted to mention that using the system user id from the IdP is a good idea for the reasons you point out. Depending on the IdP, usually they send the NameID with the system id value (sometimes a uuid) so you may want to see what's coming over first.

[alexmillman23]

@dsmrt Appreciate the help! I should have re-read that second sentence about the assertion attribute. Having a bit of trouble getting to actual show up in the vendor/flipboxfactory/saml-sp/src/services/login/User.php getByResponse()

foreach ($this->getAssertions(
                $response,
                $serviceProvider
            ) as $assertion) {
                $attributes = $assertion->getAttributes();
                ...
                

But I suppose that's a OneLogin thing and not the plugin :)

Thanks again!

[alexmillman23]

Quick follow-up because I think I framed my question in a misleading way. While we want to pass a custom field from OneLogin to be the assertion attribute, the field connection to Craft is also a custom field on Users, not their username.

if ($nameIdOverride) {

            foreach ($this->getAssertions(
                $response,
                $serviceProvider
            ) as $assertion) {
                $attributes = $assertion->getAttributes();

                if (isset($attributes[$nameIdOverride])) {
                    $attributeValue = $attributes[$nameIdOverride];
                    $username = $this->getAttributeValue($attributeValue);
                } 
            }

        }

This seems to always expect the attribute value to be a username: $username = $this->getAttributeValue($attributeValue);

So perhaps I would need to extend / overwrite this part of the plugin's functionality to look up a User via a custom field value.

Maybe I could add a PR to allow for this functionality. Something to allow for custom field checks on the settings page under NameID Override. Then, in the forceGet method, add something like:

$user = CraftUser::find()
                ->${customFieldName}($attr)
                ->one();