Role Mapping

[safetypins]

Are there more detailed instructions for how the role mapping works between OneLogin and the onelogin_saml module?

[pitbulk]

At the SAML setting panel of Drupal, you need to define the OL attribute field that contain the role data. (If you have doubts about that field, you can record a SAMLResponse with SAMLTracer and see the name of the role field. (Also you can review it at your SAML connector).

This role field will contain a role value.

In drupal there are already possible roles, so you need to map OL values with Drupal values.

[safetypins]

Right, we already have defined roles in Drupal, and we are passing a large string containing group names that the user belongs to from OL, but where in the SAML setting panel of Drupal is that mapping configured? Is it on the admin/config/onelogin_saml page, or is there another config page that I'm missing?

[pitbulk]

On the wordpress plugin we have support for multiple role values defined in a SAML attribute, but here at drupal we suppose that each role value is in a multivalue atrribute.

It seems that this is not your case and you have a big string with all the data, so you will need to edit the plugin and customize it meanwhile we add that feature.

[pitbulk]

Here is the piece of code that makes the role split from the string:

https://github.com/onelogin/wordpress-saml/blob/master/onelogin-saml-sso/php/functions.php#L184

[safetypins]

Yes, I think I'm beginning to understand. We are receiving a multivalue attribute that contains Groups, which we intend to use to define which Drupal Roles each user should receive. In our previous setup (different LDAP module), I can see a textarea where Drupal Roles are associated with the groups.

Can you give me some more info about where/how I define the mapping? Are we supposed to configure OL to pass a multivalue string that only contains the Drupal roles the user should receive?

[pitbulk]

Right now the SAML drupal extension read the SAML attribute that you maped on the atrribute section.Is able to handle:

• A single-value attribute.
• A multi-valued atrribute.

Not able to handle a single-value attribute string, that in fact is a long string that contains multiple roles.

So in order to handle this you need to use a regex expression to convert the string with multiple values in an array with multiple values.

I already provided an example of how we handle that on wordpress.

If you have any doubt related to how configure role/mapping on the Onelogin's SAML connector, please open a support ticket for that.

[safetypins]

Thanks for your support, with the information you provided I was able to customize the code to give out the appropriate roles.