Document any changes in functionality between D7 and D8

README.md

The following items should be reviewed to ensure they are either happening already or need to be created.

• Drush command to map a role to a workgroup
• Drush command to add a user
• Default roles are created (Stanford Faculty, Stanford Staff, Stanford Student, SUNet User, SSO User)
• A default role for anyone that is created through SAML should be applied (SSO User)
• Login blocks are available and configurable
• One time log in link is not sent for any account that was created through SAML

Convert the D7 module files and format to Drupal 8. eg: stanford_ssp.info -> stanford_ssp.info.yml

Define and write an upgrade path from the D7 version to the D8 version.

User Stories:

• As an administrator I would like to be able to add users from SAML so they don't have to log in first in order for me to give them permissions.

• When I create a new user, as an administrator, I want the option of having Drupal notify the user of the new account.

• The add SSO user form should not display a password field unless local account login is enabled for SAML users.

Functional Example:
https://ssp-demo.anchorage.stanford.edu/admin/config/stanford/stanford_ssp/add-sso-user

User Stories:

• As an administrator I want to be able to enable and disable automatic account provisioning on successful log in as I don't always want users to have a Drupal user account.
• As an administrator I want to be able to toggle on and of authentication with local Drupal user accounts to enforce all users to go through SAML
• As an administrator I want to allow SAML created users to be able to set a local Drupal password so they can authenticate with either set of credentials
• As an administrator I want to be able to set the destination for a user after successful log in with SAML so that they are in the correct place to start.
• As an administrator I want to be able to set which attribute of the SAML response to use for the user name that the user gets when an account is created.
• As an administrator I want to be able to set which attribute of the SAML response to use for the UID that the user gets when an account is created.
• As an administrator I want to be able to set which attribute of the SAML response to use for the email that the user gets when an account is created.

Functional Example:
https://ssp-demo.anchorage.stanford.edu/admin/config/stanford/stanford_ssp

Create a login form and place it in a block so that site builders can put a login form in a theme region

See for example:
https://github.com/SU-SWS/stanford_ssp/tree/7.x-2.x/modules/stanford_saml_block

Hi,

I'm seeing this pop up in the logs from time to time on a newly launched site. Just a PHP Notice. We're marking it as low priority. CC: @zchandler

Notice: Undefined index: eduPersonPrincipalName in stanford_ssp_simplesamlphp_auth_existing_user() (line 123 of /code/web/modules/custom/stanford_ssp/stanford_ssp.module)

#0 /code/web/core/includes/bootstrap.inc(600): _drupal_error_handler_real(8, 'Undefined index...', '/code/web/modul...', 123, Array)
#1 /code/web/modules/custom/stanford_ssp/stanford_ssp.module(123): _drupal_error_handler(8, 'Undefined index...', '/code/web/modul...', 123, Array)
#2 [internal function]: stanford_ssp_simplesamlphp_auth_existing_user(Array)
#3 /code/web/core/lib/Drupal/Core/Extension/ModuleHandler.php(392): call_user_func_array('stanford_ssp_si...', Array)
#4 /code/web/modules/contrib/simplesamlphp_auth/src/Service/SimplesamlphpDrupalAuth.php(187): Drupal\Core\Extension\ModuleHandler->invoke('stanford_ssp', 'simplesamlphp_a...', Array)
#5 /code/web/modules/custom/stanford_ssp/src/Service/StanfordSSPDrupalAuth.php(74): Drupal\simplesamlphp_auth\Service\SimplesamlphpDrupalAuth->externalRegister('geerke')
#6 /code/web/modules/contrib/simplesamlphp_auth/src/Controller/SimplesamlphpAuthController.php(192): Drupal\stanford_ssp\Service\StanfordSSPDrupalAuth->externalLoginRegister('geerke')
#7 [internal function]: Drupal\simplesamlphp_auth\Controller\SimplesamlphpAuthController->authenticate()
#8 /code/web/core/lib/Drupal/Core/EventSubscriber/EarlyRenderingControllerWrapperSubscriber.php(123): call_user_func_array(Array, Array)
#9 /code/web/core/lib/Drupal/Core/Render/Renderer.php(573): Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->Drupal\Core\EventSubscriber\{closure}()
#10 /code/web/core/lib/Drupal/Core/EventSubscriber/EarlyRenderingControllerWrapperSubscriber.php(124): Drupal\Core\Render\Renderer->executeInRenderContext(Object(Drupal\Core\Render\RenderContext), Object(Closure))
#11 /code/web/core/lib/Drupal/Core/EventSubscriber/EarlyRenderingControllerWrapperSubscriber.php(97): Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->wrapControllerExecutionInRenderContext(Array, Array)
#12 /code/vendor/symfony/http-kernel/HttpKernel.php(151): Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->Drupal\Core\EventSubscriber\{closure}()
#13 /code/vendor/symfony/http-kernel/HttpKernel.php(68): Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object(Symfony\Component\HttpFoundation\Request), 1)
#14 /code/web/core/lib/Drupal/Core/StackMiddleware/Session.php(57): Symfony\Component\HttpKernel\HttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#15 /code/web/core/lib/Drupal/Core/StackMiddleware/KernelPreHandle.php(47): Drupal\Core\StackMiddleware\Session->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#16 /code/web/core/modules/page_cache/src/StackMiddleware/PageCache.php(191): Drupal\Core\StackMiddleware\KernelPreHandle->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#17 /code/web/core/modules/page_cache/src/StackMiddleware/PageCache.php(128): Drupal\page_cache\StackMiddleware\PageCache->fetch(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#18 /code/web/core/modules/page_cache/src/StackMiddleware/PageCache.php(82): Drupal\page_cache\StackMiddleware\PageCache->lookup(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#19 /code/web/core/lib/Drupal/Core/StackMiddleware/ReverseProxyMiddleware.php(47): Drupal\page_cache\StackMiddleware\PageCache->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#20 /code/web/core/lib/Drupal/Core/StackMiddleware/NegotiationMiddleware.php(52): Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#21 /code/vendor/stack/builder/src/Stack/StackedHttpKernel.php(23): Drupal\Core\StackMiddleware\NegotiationMiddleware->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#22 /code/web/core/lib/Drupal/Core/DrupalKernel.php(708): Stack\StackedHttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#23 /code/web/index.php(19): Drupal\Core\DrupalKernel->handle(Object(Symfony\Component\HttpFoundation\Request))
#24 {main}

User Stories:

• As an administrator I want to be able to map Stanford workgroups to Drupal roles for users that are authenticated through SAML

• As an administrator I want to be able to choose between reevaluating and updating the roles assigned to a person every time they log in so that SAML controls the user's roles or allowing SAML to add roles to a user but never take them away so that I can assign users additional permissions on the Drupal website.

Functional Example:
https://ssp-demo.anchorage.stanford.edu/admin/config/stanford/stanford_ssp/role-mappings

User Stories:

• As an administrator I want to be able to enable and disable authentication for local Drupal accounts
• As an administrator I want to be able to specify which roles can log in with local Drupal accounts and which cannot so that I may separate the authentication scheme for different types of users.
• As an administrator I want to be able to specify which users can log in with local Drupal accounts even if they were registered as a SAML user in the first place.
• As an administrator I want to be able to prevent successful log in to anyone except a specific set of sunet ids so that no one outside my group can log in.
• As an administrator I want to be able to allow anyone with a valid sunet id to log in.
• As an administrator I want to be able to allow successful log in to a specific set of workgroups so that no one outside my group can authenticate with the website.

Functional Example:
https://ssp-demo.anchorage.stanford.edu/admin/config/stanford/stanford_ssp/authorizations

See attached menu structure

Functional Example:
https://ssp-demo.anchorage.stanford.edu/admin/config/stanford/stanford_ssp

While investigation this, I see

select * from stanford_ssp_sunetid;                
+-------+-------+
| sunet | uid   |
+-------+-------+
|       | 12345 |
+-------+-------+
1 row in set (0.01 sec)

The data coming back from the IdP does not in include an uid attribute. We have the the setting stanford_simplesamlphp_auth_unique_id set to the correct key and logins work, but when new users come in they get mapped to the uid 12345 via the table above.

We use the stanford_ssp module for authenticating users with fsh.stanford.edu (and likely other Stanford sites). Having reviewed the lengthy discussion on drupal.org regarding the path forward for a stable version of the simplesamlphp_auth module (a dependency on stanford_ssp) we're not confident that a stable version will be released in time for Drupal 9's end of life.

The issue thread linked to above has a workaround that includes forking the simplesamlphp library, yet it's not clear that the maintainer of that fork is interested in maintaining it long-term.

We're inclined to deprecate stanford_ssp on the FSH site and implement Drupal's Saml Authentication module unless the Stanford web team has plans for stanford_ssp that don't rely on a dev version of simplesamlphp_auth.

What plans are there to update stanford_ssp for Drupal 10 compatibility?

On stanford_ssp installs with local Drupal user logins still enabled, the /user login form has faulty HTML causing the elements to jump around in the DOM. The input tags for the local user login lands outside of the fieldset that it should be in.

Guessing an extra div tag or missing div tag is the culprit.

Examples: https://coa.cardinalsites.stanford.edu/user https://forms.gse.stanford.edu/user https://openarchive.stanford.edu/user

Create a path for transitioning a website that was using webauth to use this module.

Hi Team, looks like this module is further along than the last time I checked! I have several websites in production using simplesamlphp_auth, when would you recommend switching over to this?
Thanks as always,
Zach

User Stories:

• As an administrator I want to be able to turn SSO authentication on and off without disabling the module and losing all of my settings.
• As an administrator I want to be able to turn local Drupal account log in on and off so I can enforce SAML authentication only
• As an administrator I want to be able to force authentication and site usage through HTTPS so I can ensure my users have a secure connection
• As an administrator I want to be able to disable browser based page caching for my logged in users so I can guarantee they get the most recent content
• As an administrator I want to be able to toggle on and off an automatic attempt at authenticating with SAML so that I can change the access denied experience to suit my site and my needs.
• As an administrator I want to be able to customize the SAML service provider settings so that this whole thing can work.

Functional Example:
https://ssp-demo.anchorage.stanford.edu/admin/config/stanford/stanford_ssp

in stanford_ssp_configuration_form() each of these settings state in the field description

"If the attribute is multivalued, the first value will be used."

however the getter functions

• stanford_simplesamlphp_auth_get_authname()
• stanford_simplesamlphp_auth_get_username()
• stanford_simplesamlphp_auth_get_email()

assume it is an array and always fetch the first value

Create a set of Behat tests to cover a number of the actions allowed in this module.

User Stories:

• As an administrator I would like to be able to hide and show the local Drupal user login form on the /user page
• As an administrator I would like to be able to hide and show the SSO user login link on the form on the /user page
• As an administrator I would like to be able to configure the text that is displayed as the login link for SAML on the /user page

Tasks:

1. Create form page and menu item
2. Form validation
3. Form functionality (The hide show stuff on user page)

Functional Example:
https://ssp-demo.anchorage.stanford.edu/admin/config/stanford/stanford_ssp/login-block-forms

The Drupal 7 version of simplesamlphp_auth did not allow for enough flexibility to accomplish the goals we set out so we adopted it as a submodule of this project and re-wrote the parts that made sense to us.
See:

• https://github.com/SU-SWS/stanford_ssp/tree/7.x-2.x/modules/stanford_simplesamlphp_auth
• https://www.drupal.org/node/2745089

Evaluate wether or not the D8 version is stable and functional enough for this project to depend on or wether we will need to adopt/patch/contribute-to the contrib module.

Hi,
What would you like the simplesaml_auth_installdir to be?

In stanford_ssp.install it's set to /opt/simplesamlphp
but in help text and in various variable_get calls, it's set to /usr/share/simplesamlphp

User story:

• As an administrator I want to be able to specify the configuration options for my SP so that I can authenticate my users with the appropriate data.
• Define and establish sensible defaults

Functional Example:
https://ssp-demo.anchorage.stanford.edu/admin/config/stanford/stanford_ssp