Re: User Just In Time Provisioning to Developer po...

sumiya96 · 06-27-2018 11:31 AM

Hi All,

Need a quick Help!!

I have come across the concept called User Just in Time Provisioning to the developer portal.

USECASE:

User registered to site-minder and with SM login details user is able to login to the developer portal with Just In Time Concept and has SAML authentication.

What I would like to do is,I don't what the newly added user to be in Active state and I want to keep the newly logged in user in Blocked state and trigger an email to my mail box,so that I should be able to notify that the user is logged in and need to be activate the user manually.

Thanks in Advance!!

jyothikiranr

Here is what you can do, and this works for the use case you mentioned here.

Step1: Enable SimpleSAML PHP both library and modules. Configure them to make sure it works fine. There is a great article written by @gkoli@apigee.com here https://community.apigee.com/articles/29201/sso-integration-via-saml-with-developer-portal.html

Step 2: Make sure you have The following setting enabled under admin/config/people/accounts

Step 3: Go to /admin/modules/ . Enable, Rules and Rules UI modules. These modules will help you trigger an email when an event occurs. You can configure these. Here is a sample export code. You can import this, and extend it as you see fit.

{ "rules_user_registration_email" : {
    "LABEL" : "User Registration Email",
    "PLUGIN" : "reaction rule",
    "OWNER" : "rules",
    "REQUIRES" : [ "rules" ],
    "ON" : { "user_insert" : [] },
    "IF" : [ { "user_is_blocked" : { "account" : [ "account" ] } } ],
    "DO" : [
      { "mail" : {
          "to" : [ "site:mail" ],
          "subject" : "New user Account created. ",
          "message" : "A new user account has been created. Its currently blocked. Please activate.",
          "from" : [ "site:mail" ],
          "language" : [ "" ]
        }
      }
    ]
  }
}

Let me know how it goes!

sumiya96

Thanks for the response @Jyothi K Reddy

Will try with the solution provided.

There are few more findings in the way as I was just referring my exiting SAML Authentication modules enabled in my portal.

I see an option called USER Provision in my SAML configuration ,Please find the attachment for the same.

auto-provisioning-the-user-in-saml-authentication.png

Auto Provisioning is enabled for the users who can login with their internal SiteMinder details.

I would like to differentiate the user login's here.

-->If the user is internal then this Auto Provision should be enabled with SAML authentication.

-->If the user is external when the user try to logs in for the first time then this auto provisioning should not happen.

But both the users are registered in SiteMinder, only the difference the users who is internal to our organization should get auto registered and users with external id should be notified to us when the log in after there registration.

Thanks!!

jyothikiranr

Let the Auto provision be on. It will allow user accounts to be created.

Here is what I would do.

1. Define an attribute in your SAML response that identifies the user as 'internal' or 'external'

2. You need to set this value in a field that can be defined in User Object. This can be done using a custom module. Here is a great resource on drupal.org about how you can do that.

https://www.drupal.org/node/2414567

3. Now you simply need to define rule (SimpleSAMLPHP has rules hooks avaialble) and do a check on user registration via SimpleSAML, whether the logged in user has the attribute as 'internal' or 'external' based on this you can setup an action in rules to activate the account or send you an email.

Good luck with your implementation!

User Just In Time Provisioning to Developer portal.