diff --git a/README.md b/README.md index c0b722c1d..721079d9a 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,7 @@ Features * Automatic certificate creation * Optionally auto create users * Support for multiple identity providers +* Role mapping for admin, manager and course_creator system roles * Idp initiated flow / IdP first flow / IdP unsolicited logins, eg: http://idp.local/simplesaml/saml2/idp/SSOService.php?spentityid=http://moodle.local/auth/saml2/sp/metadata.php&RelayState=http://moodle.local/course/view.php?id=2 @@ -67,7 +68,6 @@ http://idp.local/simplesaml/saml2/idp/SSOService.php?spentityid=http://moodle.lo Features not yet implemented: * Enrolment - this should be an enrol plugin and not in an auth plugin -* Role mapping - not yet implemented Branches -------- diff --git a/classes/auth.php b/classes/auth.php index 0970d00b8..f20ded585 100644 --- a/classes/auth.php +++ b/classes/auth.php @@ -687,6 +687,9 @@ public function saml_login_complete($attributes) { set_config('siteadmins', implode(',', $admins)); } + // Synchronize IdP roles to moodle + sync_roles($user, $attributes, $this->config); + // Make sure all user data is fetched. $user = get_complete_user_data('username', $user->username); diff --git a/lang/en/auth_saml2.php b/lang/en/auth_saml2.php index 22ca2f549..c9d12e146 100644 --- a/lang/en/auth_saml2.php +++ b/lang/en/auth_saml2.php @@ -218,3 +218,13 @@ $string['regeneratepath'] = 'Certificate path path: {$a}'; $string['regenerateheader'] = 'Regenerate Private Key and Certificate'; $string['regeneratesuccess'] = 'Private Key and Certificate successfully regenerated'; + +/* + * Role mapping + */ +$string['saml_role_map'] = "Role"; +$string['saml_rolemapping'] = "Role Mapping"; +$string['saml_rolemapping_head'] = "The IdP can use it's own roles. Set in this section the mapping between IdP and Moodle roles. Accepts multiple valued comma separated. Example: admin,owner,superuser."; +$string['saml_role_siteadmin_map'] = "Site administrators"; +$string['saml_role_manager_map'] = "Manager"; +$string['saml_role_coursecreator_map'] = "Course creator"; \ No newline at end of file diff --git a/locallib.php b/locallib.php index 5f06de643..20e9157d4 100644 --- a/locallib.php +++ b/locallib.php @@ -543,3 +543,32 @@ function auth_saml2_admin_nav($title, $url) { $PAGE->set_heading(get_string('pluginname', 'auth_saml2') . ': ' . $title); $PAGE->set_title(get_string('pluginname', 'auth_saml2') . ': ' . $title); } + +/** +* Map user roles from Roles array +* +*/ +function sync_roles($user,$attributes,$config) { + global $CFG, $DB; + + // Process siteadmin (special, they are stored at mdl_config) + if(in_array($config->saml_role_siteadmin_map,$attributes['Role'])){ + $siteadmins = explode(',', $CFG->siteadmins); + if (!in_array($user->id, $siteadmins)) { + $siteadmins[] = $user->id; + $newAdmins = implode(',', $siteadmins); + set_config('siteadmins', $newAdmins); + } + } + + // Process coursecreator and manager + $syscontext = context_system::instance(); + if(in_array($config->saml_role_coursecreator_map,$attributes['Role'])){ + $creatorrole = $DB->get_record('role', array('shortname'=>'coursecreator'), '*', MUST_EXIST); + role_assign($creatorrole->id, $user->id, $syscontext); + } + if (in_array($config->saml_role_manager_map, $attributes['Role'])) { + $managerrole = $DB->get_record('role', array('shortname'=>'manager'), '*', MUST_EXIST); + role_assign($managerrole->id, $user->id, $syscontext); + } +} \ No newline at end of file diff --git a/settings.php b/settings.php index 78748f63b..01c6a3675 100644 --- a/settings.php +++ b/settings.php @@ -298,6 +298,42 @@ $authplugin->get_ssp_version() )); + // Role mapping + $name = 'auth_saml2/field_map_role'; + $title = get_string('saml_role_map', 'auth_saml2'); + $description = ''; + $default = ''; + $setting = new admin_setting_configtext($name, $title, $description, $default, PARAM_ALPHANUMEXT); + $settings->add($setting); + + $settings->add( + new admin_setting_heading( + 'auth_saml2/saml_rolemapping', + new lang_string('saml_rolemapping', 'auth_saml2'), + new lang_string('saml_rolemapping_head', 'auth_saml2') + ) + ); + + $name = 'auth_saml2/saml_role_siteadmin_map'; + $title = get_string('saml_role_siteadmin_map', 'auth_saml2'); + $description = ''; + $default = ''; + $setting = new admin_setting_configtext($name, $title, $description, $default, PARAM_ALPHANUMEXT); + $settings->add($setting); + + $name = 'auth_saml2/saml_role_manager_map'; + $title = get_string('saml_role_manager_map', 'auth_saml2'); + $description = ''; + $default = ''; + $setting = new admin_setting_configtext($name, $title, $description, $default, PARAM_ALPHANUMEXT); + $settings->add($setting); + + $name = 'auth_saml2/saml_role_coursecreator_map'; + $title = get_string('saml_role_coursecreator_map', 'auth_saml2'); + $description = ''; + $default = ''; + $setting = new admin_setting_configtext($name, $title, $description, $default, PARAM_ALPHANUMEXT); + $settings->add($setting); // Display locking / mapping of profile fields. $help = get_string('auth_updatelocal_expl', 'auth');