SimpleSAML email address breaks login for user

Question

SimpleSAML email address breaks login for user

davidrkupton opened this issue 2 years ago · comments

When an FID record does not have an email address (can happen for any user, but more common for sponsored accounts), Drupal fakes an email address on first login.
This then seems to prevent the user from logging in via SSO until this manual workaround:

the username is manually set to the UID (can be done in the backend by someone with Administrator role)
the email address is set to a unique email on boston.gov (can be done in the backend by someone with Administrator role)
the realname record is manually updated to firstname lastname in Drupal's MySQL Database.

Need to either convince IAM to enforce the existence of an email address, or else update SimpleSAML in Drupal to accommodate the circumstance when an email address is missing from sso's SAML response. SAML need to be modified to create the record using the UID as the UserName, firstname.lastname@boston.gov as the email guess and firstname lastname as the realname.

David Upton · Answer 1 · Mon May 02 2022 20:36:27 GMT+0800 (China Standard Time)

Work effort 1-2 days to develop, 1-2 days to test

stephaniemar · Answer 2 · Wed Sep 14 2022 22:05:39 GMT+0800 (China Standard Time)

@davidrkupton Can we close this ticket or do we need to move it to JIRA?

David Upton · Answer 3 · Fri Sep 16 2022 00:46:48 GMT+0800 (China Standard Time)

@stephaniemar
I think this is still an issue.
It can only be solved by FID enforcing email addresses on all accounts created.
You can raise this with Gretchen to see if that poicy has or is likely to be adopted.

stephaniemar · Answer 4 · Fri Sep 16 2022 01:33:21 GMT+0800 (China Standard Time)

@davidrkupton IAM will be moving off of FID to Azure- will this still be an issue? Some accounts still will not have an email address.

David Upton · Answer 5 · Fri Sep 16 2022 01:57:57 GMT+0800 (China Standard Time)

Yes, the issue is that Drupal MUST have an email address to create an account. I can create a fake email address if needed, but if we ever implement functionality in the website to email back to the user, it will obviously fail for users with fake emails. I think you can move this to JIRA. We should address it. D

…

On Thu, Sep 15, 2022 at 1:33 PM stephaniemar ***@***.***> wrote: @davidrkupton <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_davidrkupton&d=DwMCaQ&c=jHPlKdF3zLuO12CD8lDt5g&r=I_xd1B4TcoerZD0cfelDi2nYa-O9wq1U9RSw7sL7u4s&m=bvWOBcKeGPzzCa7fPSrPZfaCkjAap2DvI73yK3f5oTV2xKjLqU4h5nqt68eUGIBV&s=tcIzPX9ygUancrIAusqwzKgAETeQWx2mTKxXixH2gns&e=> IAM will be moving off of FID to Azure- will this still be an issue? Some accounts still will not have an email address. — Reply to this email directly, view it on GitHub <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_CityOfBoston_boston.gov-2Dd8_issues_2481-23issuecomment-2D1248403452&d=DwMCaQ&c=jHPlKdF3zLuO12CD8lDt5g&r=I_xd1B4TcoerZD0cfelDi2nYa-O9wq1U9RSw7sL7u4s&m=bvWOBcKeGPzzCa7fPSrPZfaCkjAap2DvI73yK3f5oTV2xKjLqU4h5nqt68eUGIBV&s=if_L3G6NtWxGa7fVZvK5ssR2sn71ATYDX6pDO7WPYig&e=>, or unsubscribe <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ABD3PETWYQZSKJTVTBT376LV6NMW3ANCNFSM5U33L6CQ&d=DwMCaQ&c=jHPlKdF3zLuO12CD8lDt5g&r=I_xd1B4TcoerZD0cfelDi2nYa-O9wq1U9RSw7sL7u4s&m=bvWOBcKeGPzzCa7fPSrPZfaCkjAap2DvI73yK3f5oTV2xKjLqU4h5nqt68eUGIBV&s=lV7WHNBMe6K6V_xenxR2BdDxCl4dhT56RMiI9kP88FQ&e=> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- [image: COB_B_Blue_square-01.png] David Upton Digital Team / Operations Team Department of Innovation and Technology 781 330 5041 (c)

stephaniemar · Answer 6 · Fri Sep 16 2022 01:58:57 GMT+0800 (China Standard Time)

Ok. Gretchen is on vacation this week, I will send her a note about this for when she gets back.

stephaniemar · Answer 7 · Thu Sep 22 2022 02:19:48 GMT+0800 (China Standard Time)

https://bostondoit.atlassian.net/browse/DIG-1028