Allow IdP to have separate config settings including field mappings

classes/admin/setting_idpmetadata.php

@@ -193,6 +193,7 @@ private function remove_old_idps($oldidps) {
         foreach ($oldidps as $metadataidps) {
             foreach ($metadataidps as $oldidp) {
                 $DB->delete_records('auth_saml2_idps', array('id' => $oldidp->id));
+                $DB->delete_records('auth_saml2_idpsettings', ['idpid' => $oldidp->id]);
             }
         }
     }

classes/auth.php

@@ -155,6 +155,40 @@ public function __construct() {
         // Check if we have mutiple IdPs configured.
         // If we have mutliple metadata entries set multiidp to true.
         $this->multiidp = (count($this->metadataentities) > 1);
+
+        // Get the list of IdPs and their mapping settings.
+        $this->idplist = $this->get_idp_list();
+        if (isset($_GET['idp']) && !empty($_GET['idp'])) {
+            $selectedidp = $_GET['idp'];
+            if (isset($this->idplist[$selectedidp]) && !empty($this->idplist[$selectedidp])) {
+                foreach ($this->idplist[$selectedidp] as $key => $value) {
+                    $this->config->$key = $value;
+                }
+            }
+        }
+    }
+
+    /**
+     * Return array of all the IdPs and their configuration settings.
+     *
+     * @return array
+     **/
+    public function get_idp_list() {
+        $idps = auth_saml2_get_idps(true);
+        $idpconfig = [];
+
+        // Re-index the object to use shortname as the key.
+        foreach ($idps as $idp) {
+            foreach ($idp as $key => $value) {
+                $config = auth_saml2_get_idp_settings($value->id);
+                if ($config) {
+                    $arrayconfig[$key] = $config;
+                } else {
+                    $arrayconfig[$key] = [];
+                }
+            }
+        }
+        return $idpconfig;
     }
 
     /**
@@ -260,6 +294,8 @@ public function loginpage_idp_list($wantsurl) {
 
         // The array of IdPs to return.
         $idplist = [];
+        // Get the list of IdPs and their configuration settings.
+        $this->idplist = $this->get_idp_list();
 
         // Create IdP metadata url => name mapping.
         $idpurls = array_combine(array_column($this->metadatalist, 'idpurl'), array_column($this->metadatalist, 'idpname'));
@@ -584,21 +620,16 @@ public function saml_login() {
         // We store the IdP in the session to generate the config/config.php array with the default local SP.
         $idpalias = optional_param('idpalias', '', PARAM_TEXT);
         if (!empty($idpalias)) {
-            $idpfound = false;
-
-            foreach ($this->metadataentities as $idpentity) {
-                if ($idpalias == $idpentity->alias) {
-                    $SESSION->saml2idp = $idpentity->md5entityid;
-                    $idpfound = true;
-                    break;
-                }
-            }
-
+            $idpfound = $this->saml_validateidp('alias', $idpalias);
             if (!$idpfound) {
                 $this->error_page(get_string('noidpfound', 'auth_saml2', $idpalias));
             }
         } else if (isset($_GET['idp'])) {
             $SESSION->saml2idp = $_GET['idp'];
+            $idpfound = $this->saml_validateidp('md5entityid', $_GET['idp']);
+            if (!$idpfound) {
+                $this->error_page(get_string('noidpfound', 'auth_saml2', $_GET['idp']));
+            }
         } else if (!is_null($this->defaultidp)) {
             $SESSION->saml2idp = $this->defaultidp->md5entityid;
         } else if ($this->multiidp) {
@@ -635,6 +666,26 @@ public function saml_login() {
         $this->saml_login_complete($attributes);
     }
 
+    /**
+     * Check if valid IdP and is Active.
+     *
+     * @param string $idptype alias or md5entityid
+     * @param string $idp IdP Alias or IdP entity
+     * @return bool
+     */
+    public function saml_validateidp(string $idptype, string $idp) {
+        global $SESSION;
+        $idpfound = false;
+
+        foreach ($this->metadataentities as $idpentity) {
+            if ($idp == $idpentity->{$idptype}) {
+                $SESSION->saml2idp = $idpentity->md5entityid;
+                $idpfound = true;
+                break;
+            }
+        }
+        return $idpfound;
+    }
 
     /**
      * The user has done the SAML handshake now we can log them in
@@ -974,7 +1025,7 @@ public function simplify_attr($attributes) {
     public function update_user_record_from_attribute_map(&$user, $attributes, $newuser= false) {
         global $CFG;
 
-        $mapconfig = get_config('auth_saml2');
+        $mapconfig = $this->config;
         $allkeys = array_keys(get_object_vars($mapconfig));
         $update = false;
 

classes/form/availableidps.php

@@ -74,6 +74,11 @@ public function definition() {
                 $mform->addElement('text', $fieldkey.'[alias]', get_string('multiidp:label:alias', 'auth_saml2'));
                 $mform->setType($fieldkey.'[alias]', PARAM_TEXT);
 
+                // Update IdP configuration settings.
+                $editmappings = new \moodle_url('edit.php', ['id' => $idpentity['id']]);
+                $mform->addElement('static', $fieldkey.'[mapping]',
+                    get_string('mappings', 'auth_saml2'), get_string('edit', 'auth_saml2', $editmappings));
+
                 // Add the activeidp checkbox.
                 $mform->addElement('advcheckbox', $fieldkey.'[activeidp]',
                     get_string('status', 'auth_saml2'), get_string('multiidp:label:active', 'auth_saml2'), [], [false, true]);

db/install.xml

@@ -37,5 +37,17 @@
         <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
       </KEYS>
     </TABLE>
+    <TABLE NAME="auth_saml2_idpsettings" COMMENT="A key value store for IDPs">
+      <FIELDS>
+        <FIELD NAME="id" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="true"/>
+        <FIELD NAME="idpid" TYPE="int" LENGTH="10" NOTNULL="true" SEQUENCE="false"/>
+        <FIELD NAME="k" TYPE="char" LENGTH="255" NOTNULL="true" SEQUENCE="false"/>
+        <FIELD NAME="value" TYPE="text" NOTNULL="false" SEQUENCE="false"/>
+      </FIELDS>
+      <KEYS>
+        <KEY NAME="primary" TYPE="primary" FIELDS="id"/>
+        <KEY NAME="idpid_k" TYPE="unique" FIELDS="idpid, k"/>
+      </KEYS>
+    </TABLE>
   </TABLES>
 </XMLDB>

db/upgrade.php

@@ -410,5 +410,28 @@ function xmldb_auth_saml2_upgrade($oldversion) {
         upgrade_plugin_savepoint(true, 2023100300, 'auth', 'saml2');
     }
 
+    if ($oldversion < 2023100301) {
+
+        // Define table auth_saml2_idpsettings to be created.
+        $table = new xmldb_table('auth_saml2_idpsettings');
+
+        // Adding fields to table auth_saml2_idpsettings.
+        $table->add_field('id', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, XMLDB_SEQUENCE, null);
+        $table->add_field('idpid', XMLDB_TYPE_INTEGER, '10', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('k', XMLDB_TYPE_CHAR, '255', null, XMLDB_NOTNULL, null, null);
+        $table->add_field('value', XMLDB_TYPE_TEXT, null, null, null, null, null);
+
+        // Adding keys to table auth_saml2_idpsettings.
+        $table->add_key('primary', XMLDB_KEY_PRIMARY, ['id']);
+        $table->add_key('idpid_k', XMLDB_KEY_UNIQUE, ['idpid, k']);
+
+        // Conditionally launch create table for auth_saml2_idpsettings.
+        if (!$dbman->table_exists($table)) {
+            $dbman->create_table($table);
+        }
+
+        upgrade_plugin_savepoint(true, 2023100301, 'auth', 'saml2');
+    }
+
     return true;
 }

edit.php

@@ -0,0 +1,76 @@
+<?php
+// This file is part of SAML2 Authentication Plugin for Moodle
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * Edit IdP config settings and data mappings.
+ *
+ * @package     auth_saml2
+ * @author      Jackson D'Souza <[email protected]>
+ * @copyright   2019 Catalyst IT Europe {@link http://www.catalyst-eu.net}
+ * @license     http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+
+require_once('../../config.php');
+require_once('locallib.php');
+require_once('edit_form.php');
+
+defined('MOODLE_INTERNAL') || die;
+
+$id = optional_param('id', null, PARAM_INT);
+$pagetitle = get_string('editidp', 'auth_saml2');
+
+$pageparams = [];
+if (isset($id)) {
+    $pageparams['id'] = $id;
+}
+
+$idprecord = $DB->get_record('auth_saml2_idps', $pageparams, '*', MUST_EXIST);
+
+$PAGE->set_pagelayout('standard');
+$PAGE->set_context(context_system::instance());
+$PAGE->set_url('/auth/saml2/edit.php', $pageparams);
+$PAGE->set_title($pagetitle);
+$PAGE->set_heading($pagetitle);
+
+$PAGE->navbar->add(get_string('administrationsite'));
+$PAGE->navbar->add(get_string('plugins', 'admin'));
+$PAGE->navbar->add(get_string('authentication', 'admin'));
+$PAGE->navbar->add(get_string('pluginname', 'auth_saml2'),
+        new moodle_url('/admin/settings.php', ['section' => 'authsettingsaml2']));
+$PAGE->navbar->add(get_string('manageidpsheading', 'auth_saml2'), new moodle_url('/auth/saml2/availableidps.php'));
+$PAGE->navbar->add($idprecord->displayname);
+$PAGE->navbar->add($pagetitle);
+
+require_login();
+require_capability('moodle/site:config', context_system::instance());
+
+$formparams['data'] = auth_saml2_get_idp_settings($id);
+$formurl = new moodle_url($PAGE->url);
+$mform = new auth_saml2_idp_edit_form($formurl, $formparams);
+
+// Cancelled, return to main listing view.
+if ($mform->is_cancelled()) {
+    redirect(new moodle_url('/auth/saml2/availableidps.php'));
+    exit;
+} else if ($formdata = $mform->get_data()) {
+    auth_saml2_save_idp($formdata, $id);
+    redirect(new moodle_url('/auth/saml2/availableidps.php'));
+    exit;
+}
+
+echo $OUTPUT->header();
+$mform->display();
+echo $OUTPUT->footer();