User provider: load by SAML attributes?

[quentint]

Hi and thanks for your work on this bundle!
I'm currently in the process of integrating it inside a new Symfony site.

In my use-case I don't want the user provider to create users on SAML success, but rather:

• retrieve the SAML attributes
• process them depending on the IdP
• and determine the username/identifier based on these attributes and IdP.

I used to use aerialship/saml-sp-bundle which had a handy UserManagerInterface with loadUserBySamlInfo(SamlSpInfo $samlInfo): UserInterface. The user provider could implement this interface, and that method would be called on SAML auth success. See the docs for a little more details.

Note: It also has a createUserFromSamlInfo(SamlSpInfo $samlInfo): UserInterface but I'm currently not interested in this feature 😉

Is something similar currently possible (maybe listening to an event)?
If not, do you think it could improve the bundle?

Thanks!

[a-menshchikov]

@quentint hi!
You look for something like a just-in-time user provisioning, right? (Without user persistence in database.)

[quentint]

Well, it could be, but I don't want to create new users, but rather load one (or none) based on the SAML attributes. Is that compatible?

[a-menshchikov]

It looks like you need just User Provider, without any User Factory. If you load users from database, you can use EntityUserProvider and use SAML attributes injection.

[quentint]

I've also considered this feature. But if I'm correct, it will inject SAML attributes in a User instance, which would have previously been loaded by the user provider. But what I'm looking for is a bit different: loading a user using the received SAML attributes 😉

[a-menshchikov]

If you wish use multiple attributes for user loading I have no ideas for you, sorry.
But if you have the only one attribute that may be used as identifier, you can use the identifier_attribute option.