Allow to automatically assign SAML users to a group based on SAML attributes

2025-06-26 11:48:49 +02:00 · 2023-02-27 23:47:42 +01:00 · 2023-02-27 23:47:42 +01:00 · 5e85c52a57
commit 5e85c52a57
parent 6a06a24296
6 changed files with 151 additions and 11 deletions
--- a/src/Security/SamlUserFactory.php
+++ b/src/Security/SamlUserFactory.php
@ -20,12 +20,32 @@

 namespace App\Security;

+use App\Entity\UserSystem\Group;
 use App\Entity\UserSystem\User;
+use Doctrine\ORM\EntityManagerInterface;
+use Hslavich\OneloginSamlBundle\Security\Http\Authenticator\Token\SamlToken;
 use Hslavich\OneloginSamlBundle\Security\User\SamlUserFactoryInterface;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Security\Core\Event\AuthenticationSuccessEvent;
 use Symfony\Component\Security\Core\User\UserInterface;

-class SamlUserFactory implements SamlUserFactoryInterface
+class SamlUserFactory implements SamlUserFactoryInterface, EventSubscriberInterface
 {
+    private EntityManagerInterface $em;
+    private array $saml_role_mapping;
+    private bool $update_group_on_login;
+
+    public function __construct(EntityManagerInterface $entityManager, ?array $saml_role_mapping, bool $update_group_on_login)
+    {
+        $this->em = $entityManager;
+        if ($saml_role_mapping) {
+            $this->saml_role_mapping = $saml_role_mapping;
+        } else {
+            $this->saml_role_mapping = [];
+        }
+        $this->update_group_on_login = $update_group_on_login;
+    }
+
    public const SAML_PASSWORD_PLACEHOLDER = '!!SAML!!';

    public function createUser($username, array $attributes = []): UserInterface
@ -37,8 +57,98 @@ class SamlUserFactory implements SamlUserFactoryInterface
        //This is a SAML user now!
        $user->setSamlUser(true);

+        //Update basic user information
        $user->setSamlAttributes($attributes);

+        //Check if we can find a group for this user based on the SAML attributes
+        $group = $this->mapSAMLAttributesToLocalGroup($attributes);
+        $user->setGroup($group);
+
        return $user;
    }
+
+    /**
+     * This method is called after a successful authentication. It is used to update the group of the user,
+     * based on the new SAML attributes.
+     * @param  AuthenticationSuccessEvent  $event
+     * @return void
+     */
+    public function onAuthenticationSuccess(AuthenticationSuccessEvent $event): void
+    {
+        if (! $this->update_group_on_login) {
+            return;
+        }
+
+        $token = $event->getAuthenticationToken();
+        $user = $token->getUser();
+        //Only update the group if the user is a SAML user
+        if (! $token instanceof SamlToken || ! $user instanceof User) {
+            return;
+        }
+
+        //Check if we can find a group for this user based on the SAML attributes
+        $group = $this->mapSAMLAttributesToLocalGroup($token->getAttributes());
+        //If needed update the group of the user and save it to DB
+        if ($group !== $user->getGroup()) {
+            $user->setGroup($group);
+            $this->em->flush($user);
+        }
+    }
+
+    /**
+     * Maps the given SAML attributes to a local group.
+     * @param  array  $attributes The SAML attributes
+     * @return Group|null
+     */
+    public function mapSAMLAttributesToLocalGroup(array $attributes): ?Group
+    {
+        //Extract the roles from the SAML attributes
+        $roles = $attributes['group'] ?? [];
+        $group_id = $this->mapSAMLRolesToLocalGroupID($roles);
+
+        //Check if we can find a group with the given ID
+        if ($group_id !== null) {
+            $group = $this->em->find(Group::class, $group_id);
+            if ($group !== null) {
+                return $group;
+            }
+        }
+
+        //If no group was found, return null
+        return null;
+    }
+
+    /**
+     * Maps a list of SAML roles to a local group ID.
+     * @param  array  $roles The list of SAML roles
+     * @param  array  $map|null The mapping from SAML roles. If null, the global mapping will be used.
+     * @return int|null The ID of the local group or null if no mapping was found.
+     */
+    public function mapSAMLRolesToLocalGroupID(array $roles, array $map = null): ?int
+    {
+        $map = $map ?? $this->saml_role_mapping;
+
+        //Iterate over all roles and check if we have a mapping for it.
+        foreach ($roles as $role) {
+            if (array_key_exists($role, $map)) {
+                //We use the first available mapping
+                return (int) $map[$role];
+            }
+        }
+
+        //If no applicable mapping was found, check if we have a default mapping
+        if (array_key_exists('*', $map)) {
+            return (int) $map['*'];
+        }
+
+        //If no mapping was found, return null
+        return null;
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            AuthenticationSuccessEvent::class => 'onAuthenticationSuccess',
+        ];
+    }
 }