Adds role mapping from Idp

README.md

@@ -59,6 +59,7 @@ Features
 * Automatic certificate creation
 * Optionally auto create users
 * Support for multiple identity providers
+* Role mapping for admin, manager and course_creator system roles
 * Idp initiated flow / IdP first flow /  IdP unsolicited logins, eg:
 
 http://idp.local/simplesaml/saml2/idp/SSOService.php?spentityid=http://moodle.local/auth/saml2/sp/metadata.php&RelayState=http://moodle.local/course/view.php?id=2
@@ -67,7 +68,6 @@ http://idp.local/simplesaml/saml2/idp/SSOService.php?spentityid=http://moodle.lo
 Features not yet implemented:
 
 * Enrolment - this should be an enrol plugin and not in an auth plugin
-* Role mapping - not yet implemented
 
 Branches
 --------

classes/auth.php

@@ -687,6 +687,9 @@ public function saml_login_complete($attributes) {
             set_config('siteadmins', implode(',', $admins));
         }
 
+        // Synchronize IdP roles to moodle
+        sync_roles($user, $attributes, $this->config);
+
         // Make sure all user data is fetched.
         $user = get_complete_user_data('username', $user->username);
 

lang/en/auth_saml2.php

@@ -218,3 +218,13 @@
 $string['regeneratepath'] = 'Certificate path path: {$a}';
 $string['regenerateheader'] = 'Regenerate Private Key and Certificate';
 $string['regeneratesuccess'] = 'Private Key and Certificate successfully regenerated';
+
+/*
+ * Role mapping
+ */
+$string['saml_role_map'] = "Role";
+$string['saml_rolemapping'] = "Role Mapping";
+$string['saml_rolemapping_head'] = "The IdP can use it's own roles. Set in this section the mapping between IdP and Moodle roles. Accepts multiple valued comma separated. Example: admin,owner,superuser.";
+$string['saml_role_siteadmin_map'] = "Site administrators";
+$string['saml_role_manager_map'] = "Manager";
+$string['saml_role_coursecreator_map'] = "Course creator";

locallib.php

@@ -543,3 +543,32 @@ function auth_saml2_admin_nav($title, $url) {
     $PAGE->set_heading(get_string('pluginname', 'auth_saml2') . ': ' . $title);
     $PAGE->set_title(get_string('pluginname', 'auth_saml2') . ': ' . $title);
 }
+
+/**
+* Map user roles from Roles array
+*
+*/
+function sync_roles($user,$attributes,$config) {
+    global $CFG, $DB;
+
+    // Process siteadmin (special, they are stored at mdl_config)
+    if(in_array($config->saml_role_siteadmin_map,$attributes['Role'])){
+        $siteadmins = explode(',', $CFG->siteadmins);
+        if (!in_array($user->id, $siteadmins)) {
+            $siteadmins[] = $user->id;
+            $newAdmins = implode(',', $siteadmins);
+            set_config('siteadmins', $newAdmins);
+        }
+    }
+
+    // Process coursecreator and manager
+    $syscontext = context_system::instance();
+    if(in_array($config->saml_role_coursecreator_map,$attributes['Role'])){
+        $creatorrole = $DB->get_record('role', array('shortname'=>'coursecreator'), '*', MUST_EXIST);
+        role_assign($creatorrole->id, $user->id, $syscontext);
+    }
+    if (in_array($config->saml_role_manager_map, $attributes['Role'])) {
+        $managerrole = $DB->get_record('role', array('shortname'=>'manager'), '*', MUST_EXIST);
+        role_assign($managerrole->id, $user->id, $syscontext);
+    }
+}

settings.php

@@ -298,6 +298,42 @@
             $authplugin->get_ssp_version()
             ));
 
+    // Role mapping
+    $name = 'auth_saml2/field_map_role';
+    $title = get_string('saml_role_map', 'auth_saml2');
+    $description = '';
+    $default = '';
+    $setting = new admin_setting_configtext($name, $title, $description, $default, PARAM_ALPHANUMEXT);
+    $settings->add($setting);
+
+    $settings->add(
+        new admin_setting_heading(
+            'auth_saml2/saml_rolemapping',
+            new lang_string('saml_rolemapping', 'auth_saml2'),
+            new lang_string('saml_rolemapping_head', 'auth_saml2')
+        )
+    );
+
+    $name = 'auth_saml2/saml_role_siteadmin_map';
+    $title = get_string('saml_role_siteadmin_map', 'auth_saml2');
+    $description = '';
+    $default = '';
+    $setting = new admin_setting_configtext($name, $title, $description, $default, PARAM_ALPHANUMEXT);
+    $settings->add($setting);
+
+    $name = 'auth_saml2/saml_role_manager_map';
+    $title = get_string('saml_role_manager_map', 'auth_saml2');
+    $description = '';
+    $default = '';
+    $setting = new admin_setting_configtext($name, $title, $description, $default, PARAM_ALPHANUMEXT);
+    $settings->add($setting);
+
+    $name = 'auth_saml2/saml_role_coursecreator_map';
+    $title = get_string('saml_role_coursecreator_map', 'auth_saml2');
+    $description = '';
+    $default = '';
+    $setting = new admin_setting_configtext($name, $title, $description, $default, PARAM_ALPHANUMEXT);
+    $settings->add($setting);
 
     // Display locking / mapping of profile fields.
     $help = get_string('auth_updatelocal_expl', 'auth');