search

flipboxfactory / saml-sp

SAML Service Provider (SP) Plugin for Craft CMS
https://saml-sp.flipboxfactory.com/
Other
19 stars 5 forks source link

I'm having trouble not assigning a user to a group by default. #199

Closed J-Protz closed 10 months ago

J-Protz commented 11 months ago

I originally had the setting to assign users to group [1] by default for front end users. This was forgotten about and started assigning admins to this group.

I want to keep the ability to assign users to group 1 for one provider, but simply not assign a group (or choose a different one if need be) for the second provider.

I tried the following code, with empty array, array with an id, and null, and none of them worked. Empty array still assigned a user to group 1 (not really sure why since the config is gone), and the other two threw errors.

    Event::on(
            \flipbox\saml\sp\services\login\UserGroups::class,
            \flipbox\saml\sp\services\login\UserGroups::EVENT_BEFORE_USER_GROUP_ASSIGN,
            function (\flipbox\saml\sp\events\UserGroupAssign $event) {
                /** @var \craft\elements\User $user */
                $user = $event->user;
                /** @var \craft\models\UserGroup[] $existingGroups */
                $existingGroups = $event->existingGroups;
                /** @var \craft\models\UserGroup[] $groupsFound */
                $groupsFound = $event->groupsFoundInAssertions;
                /** @var \SAML2\Response $response */
                $response = $event->response;

                try {
                    //if we're using SSO for okta, do nothing
                    $origin = Craft::$app->getRequest()->headers->toArray()['origin'][0];
                    if (stripos($origin, 'okta') !== false) {
                        $event->groupToBeAssigned = [];
                    }else{
                        $event->groupToBeAssigned = [];
                    }
                } catch (\Throwable $e) {
                }

                // overwrite this property (these will be assigned to the user after event is run)
                // $event->groupToBeAssigned = $groups;
            }
        );
J-Protz commented 11 months ago

Update : I would ideally like to add new CP users to no groups. However I have the following code working, EXCEPT it's still adding users to group customers. So when I login, it adds the user to the group I chose(agents), but also the customers group.

I have user settings to not assign groups by default, and I am not overriding the php config setting (it used to be).

  Event::on(
            \flipbox\saml\sp\services\login\UserGroups::class,
            \flipbox\saml\sp\services\login\UserGroups::EVENT_BEFORE_USER_GROUP_ASSIGN,
            function (\flipbox\saml\sp\events\UserGroupAssign $event) {
                /** @var \craft\elements\User $user */
                $user = $event->user;
                /** @var \craft\models\UserGroup[] $existingGroups */
                $existingGroups = $event->existingGroups;
                /** @var \craft\models\UserGroup[] $groupsFound */
                $groupsFound = $event->groupsFoundInAssertions;
                /** @var \SAML2\Response $response */
                $response = $event->response;

                try {
                    //if we're using SSO for okta, do nothing
                    $origin = Craft::$app->getRequest()->headers->toArray()['origin'][0];
                    $groupHandle = 'agents';
                    $agentsGroup = Craft::$app->userGroups->getGroupByHandle('agents');
                    $customerGroup = Craft::$app->userGroups->getGroupByHandle('customers');
                    if (stripos($origin, 'okta') !== false) {

                        $event->groupToBeAssigned = [$agentsGroup];
                    }else{
                        $event->groupToBeAssigned = [$customerGroup];
                    }
                } catch (\Throwable $e) {
                }

                // overwrite this property (these will be assigned to the user after event is run)
                // $event->groupToBeAssigned = $groups;
            }
        );
J-Protz commented 11 months ago

Alright sorry last update. I had the setting 'defaultGroupAssignments'=> [1],. I had commented this out, however it still assigned the users to the group. Not sure why, but if I explicitly set it to an empty array, this fixes it.

dsmrt commented 11 months ago

Ok. Sounds like you have 2 providers (okta and something else) and want to set the default group for those coming from okta.

If i have that correct, The best way to do this would be to use the event like you are doing and grab the issuer value from the Response. That’ll be the same value as the entity id viewable in craft from the okta metadata. So you can use that exact string if needed to see if that’s where the message is coming from.