From ca8ad760d7885b13091f19fad591e6e29eae8aaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20B=C3=B6hmer?= Date: Sun, 1 Dec 2024 22:54:22 +0100 Subject: [PATCH] Allow SAML users to access the API This fixes issue #765. --- .../EnsureSAMLUserForSAMLLoginChecker.php | 22 +++++++++++++------ translations/security.en.xlf | 10 +++++++-- 2 files changed, 23 insertions(+), 9 deletions(-) diff --git a/src/Security/EnsureSAMLUserForSAMLLoginChecker.php b/src/Security/EnsureSAMLUserForSAMLLoginChecker.php index 7b540984..0ebf893c 100644 --- a/src/Security/EnsureSAMLUserForSAMLLoginChecker.php +++ b/src/Security/EnsureSAMLUserForSAMLLoginChecker.php @@ -25,6 +25,7 @@ namespace App\Security; use App\Entity\UserSystem\User; use Nbgrp\OneloginSamlBundle\Security\Http\Authenticator\Token\SamlToken; use Symfony\Component\EventDispatcher\EventSubscriberInterface; +use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; use Symfony\Component\Security\Core\Event\AuthenticationSuccessEvent; use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException; use Symfony\Contracts\Translation\TranslatorInterface; @@ -50,13 +51,20 @@ class EnsureSAMLUserForSAMLLoginChecker implements EventSubscriberInterface $token = $event->getAuthenticationToken(); $user = $token->getUser(); - //If we are using SAML, we need to check that the user is a SAML user. - if ($token instanceof SamlToken) { - if ($user instanceof User && !$user->isSamlUser()) { - throw new CustomUserMessageAccountStatusException($this->translator->trans('saml.error.cannot_login_local_user_per_saml', [], 'security')); - } - } elseif ($user instanceof User && $user->isSamlUser()) { - //Ensure that you can not login locally with a SAML user (even if this should not happen, as the password is not set) + //Do not check for anonymous users + if (!$user instanceof User) { + return; + } + + //Do not allow SAML users to login as local user + if ($token instanceof SamlToken && !$user->isSamlUser()) { + throw new CustomUserMessageAccountStatusException($this->translator->trans('saml.error.cannot_login_local_user_per_saml', + [], 'security')); + } + + //Do not allow local users to login as SAML user via local username and password + if ($token instanceof UsernamePasswordToken && $user->isSamlUser()) { + //Ensure that you can not login locally with a SAML user (even though this should not happen, as the password is not set) throw new CustomUserMessageAccountStatusException($this->translator->trans('saml.error.cannot_login_saml_user_locally', [], 'security')); } } diff --git a/translations/security.en.xlf b/translations/security.en.xlf index 43f2a92f..19d382ba 100644 --- a/translations/security.en.xlf +++ b/translations/security.en.xlf @@ -1,17 +1,23 @@ - + user.login_error.user_disabled Your account is disabled! Contact an administrator if you think this is wrong. - + saml.error.cannot_login_local_user_per_saml You cannot login as local user via SSO! Use your local user password instead. + + + saml.error.cannot_login_saml_user_locally + You cannot use local authentication to login as SAML user! Use SSO login instead. + +