Role Mapping

  • Role mapping is a useful feature that allows you to assign user roles in Drupal based on attribute values from the Identity Provider (IdP) during SSO authentication. With role mapping, you can dynamically assign Drupal user roles based on specific attribute values provided by the IdP.

Steps for role mapping:

  • Go to the Mapping tab > Role Mapping.
  • Enable the Enable Role Mapping checkbox.
  • Select the default role for new users from the dropdown menu labelled Select default role for new users. The chosen role will be assigned to the user after the user logs in for the first time using SSO.
  • Enter the IdP attribute name in the Role Key text box that decides the user's role in Drupal.
  • In the Role Attributes Mapping table enter the following information:
    • SP Role → User’s role in Drupal.
    • IdP Role → Actual attribute value will be received in SAML response.
  • Click on the Add button if you want to map more roles.
  • Scroll down and click on the Save Configuration button.

Example:

  • Let's consider an example where the IdP sends the attribute "role" in the SAML response during SSO.
  • In the Role Mapping configuration, we define the following mapping:
    • Role Key: role
    • IdP Role: manager
    • SP Role: Administrator
  • When a user with the "manager" role logs in through SSO, the module will assign the "Administrator" role to the corresponding Drupal user.

Role Assignment Logic:

  • During SSO, the module retrieves the attribute values from the IdP response.
  • The attribute values are compared against the configured attribute mappings.
  • If a match is found, the corresponding Drupal role is assigned to the user.
  • If no match is found, the default role is assigned to the user.

Dynamic Role Updates:

  • The module ensures that role assignments stay synchronised with any changes in the attribute values provided by the IdP.
  • If an attribute value changes during subsequent SSO attempts, the corresponding Drupal user's role is automatically updated.
  • The role mapping feature also offers the choice to disable role revocation during SSO when there is no valid mapping found for the user's attribute. To prevent the Drupal user's role from being revoked if it is removed from IdP, you can check the box labelled Do not update user role if roles are not mapped under the Mapping > Role Mapping.