SAML role mapping removing ones manually set

Bug #1879594 reported by Robert Lyon on 2020-05-20
This bug affects 3 people
Affects Status Importance Assigned to Milestone

Bug Description

With the new SAML role mapping it allows the seeting / removal of roles to a user at login time based on what roles are passed through from the IDP.

This has now highlighted the following problems

1) If the IDP does not send through role information then the user will be stripped of admin / staff roles - so when we set them manually they disappear in next login

2) The institution staff / admin roles don't seem to be removed when user doesn't have that role

We need to fix problem (2) and we need to add some functionality that deals with avoiding the problem in (1)

It has been suggested that we add a flag to the SAML auth so in the config for SAML auth we need to add below the role prefix field a switch so the following options will exist.

Switch ON
 - If roles array from IdP is set and 'SSO field for roles' is set -> Respect the IdP roles values on all logins - even if the roles array is empty
 - If roles array from IdP is not set and/or 'SSO field for roles' is not set -> Ignore setting roles from IdP

Switch OFF
 -> Ignore setting roles from IdP

Changed in mahara:
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers