Adapted to MOODLE_39_STABLE

vinolas · vinolas · commit b8d362d76e88 · 2021-06-10T23:16:03.000+02:00
diff --git a/README.md b/README.md
@@ -59,6 +59,7 @@ Features
 * Automatic certificate creation
 * Optionally auto create users
 * Support for multiple identity providers
+* Role mapping for admin, manager and course_creator system roles
 * Idp initiated flow / IdP first flow /  IdP unsolicited logins, eg:
 
 http://idp.local/simplesaml/saml2/idp/SSOService.php?spentityid=http://moodle.local/auth/saml2/sp/metadata.php&RelayState=http://moodle.local/course/view.php?id=2
@@ -67,7 +68,6 @@ http://idp.local/simplesaml/saml2/idp/SSOService.php?spentityid=http://moodle.lo
 Features not yet implemented:
 
 * Enrolment - this should be an enrol plugin and not in an auth plugin
-* Role mapping - not yet implemented
 
 Branches
 --------
diff --git a/classes/auth.php b/classes/auth.php
@@ -687,6 +687,9 @@ public function saml_login_complete($attributes) {
             set_config('siteadmins', implode(',', $admins));
         }
 
+        // Synchronize IdP roles to moodle
+        sync_roles($user, $attributes, $this->config);
+
         // Make sure all user data is fetched.
         $user = get_complete_user_data('username', $user->username);
 
diff --git a/lang/en/auth_saml2.php b/lang/en/auth_saml2.php
@@ -218,3 +218,13 @@
 $string['regeneratepath'] = 'Certificate path path: {$a}';
 $string['regenerateheader'] = 'Regenerate Private Key and Certificate';
 $string['regeneratesuccess'] = 'Private Key and Certificate successfully regenerated';
+
+/*
+ * Role mapping
+ */
+$string['saml_role_map'] = "Role";
+$string['saml_rolemapping'] = "Role Mapping";
+$string['saml_rolemapping_head'] = "The IdP can use it's own roles. Set in this section the mapping between IdP and Moodle roles. Accepts multiple valued comma separated. Example: admin,owner,superuser.";
+$string['saml_role_siteadmin_map'] = "Site administrators";
+$string['saml_role_manager_map'] = "Manager";
+$string['saml_role_coursecreator_map'] = "Course creator";
diff --git a/locallib.php b/locallib.php
@@ -543,3 +543,32 @@ function auth_saml2_admin_nav($title, $url) {
     $PAGE->set_heading(get_string('pluginname', 'auth_saml2') . ': ' . $title);
     $PAGE->set_title(get_string('pluginname', 'auth_saml2') . ': ' . $title);
 }
+
+/**
+* Map user roles from Roles array
+*
+*/
+function sync_roles($user,$attributes,$config) {
+    global $CFG, $DB;
+
+    // Process siteadmin (special, they are stored at mdl_config)
+    if(in_array($config->saml_role_siteadmin_map,$attributes['Role'])){
+        $siteadmins = explode(',', $CFG->siteadmins);
+        if (!in_array($user->id, $siteadmins)) {
+            $siteadmins[] = $user->id;
+            $newAdmins = implode(',', $siteadmins);
+            set_config('siteadmins', $newAdmins);
+        }
+    }
+
+    // Process coursecreator and manager
+    $syscontext = context_system::instance();
+    if(in_array($config->saml_role_coursecreator_map,$attributes['Role'])){
+        $creatorrole = $DB->get_record('role', array('shortname'=>'coursecreator'), '*', MUST_EXIST);
+        role_assign($creatorrole->id, $user->id, $syscontext);
+    }
+    if (in_array($config->saml_role_manager_map, $attributes['Role'])) {
+        $managerrole = $DB->get_record('role', array('shortname'=>'manager'), '*', MUST_EXIST);
+        role_assign($managerrole->id, $user->id, $syscontext);
+    }
+}
diff --git a/settings.php b/settings.php
@@ -298,6 +298,42 @@
             $authplugin->get_ssp_version()
             ));
 
+    // Role mapping
+    $name = 'auth_saml2/field_map_role';
+    $title = get_string('saml_role_map', 'auth_saml2');
+    $description = '';
+    $default = '';
+    $setting = new admin_setting_configtext($name, $title, $description, $default, PARAM_ALPHANUMEXT);
+    $settings->add($setting);
+
+    $settings->add(
+        new admin_setting_heading(
+            'auth_saml2/saml_rolemapping',
+            new lang_string('saml_rolemapping', 'auth_saml2'),
+            new lang_string('saml_rolemapping_head', 'auth_saml2')
+        )
+    );
+
+    $name = 'auth_saml2/saml_role_siteadmin_map';
+    $title = get_string('saml_role_siteadmin_map', 'auth_saml2');
+    $description = '';
+    $default = '';
+    $setting = new admin_setting_configtext($name, $title, $description, $default, PARAM_ALPHANUMEXT);
+    $settings->add($setting);
+
+    $name = 'auth_saml2/saml_role_manager_map';
+    $title = get_string('saml_role_manager_map', 'auth_saml2');
+    $description = '';
+    $default = '';
+    $setting = new admin_setting_configtext($name, $title, $description, $default, PARAM_ALPHANUMEXT);
+    $settings->add($setting);
+    
+    $name = 'auth_saml2/saml_role_coursecreator_map';
+    $title = get_string('saml_role_coursecreator_map', 'auth_saml2');
+    $description = '';
+    $default = '';
+    $setting = new admin_setting_configtext($name, $title, $description, $default, PARAM_ALPHANUMEXT);
+    $settings->add($setting);
 
     // Display locking / mapping of profile fields.
     $help = get_string('auth_updatelocal_expl', 'auth');

Original file line number	Diff line number	Diff line change
`@@ -687,6 +687,9 @@ public function saml_login_complete($attributes) {`
`687`	`687`	`set_config('siteadmins', implode(',', $admins));`
`688`	`688`	`}`
`689`	`689`
	`690`	`+ // Synchronize IdP roles to moodle`
	`691`	`+ sync_roles($user, $attributes, $this->config);`
	`692`	`+`
`690`	`693`	`// Make sure all user data is fetched.`
`691`	`694`	`$user = get_complete_user_data('username', $user->username);`
`692`	`695`