Add saml user auto-creation

- Add option to auto-create user upon login
- Add support for mapping fields from Idp to SuiteCRM

config/core_services.yaml

@@ -56,6 +56,7 @@ services:
       $subpanelTopActions: '%module.subpanel.top_actions%'
       $subpanelTopButtons: '%module.subpanel.top_buttons%'
       $ldapAutoCreateExtraFieldsMap: '%ldap.autocreate.extra_fields_map%'
+      $samlAutoCreateAttributesMap: '%saml.autocreate.attributes_map%'
       $logoutConfig: '%auth.logout%'
   _instanceof:
     App\Process\Service\ProcessHandlerInterface:
@@ -272,6 +273,10 @@ services:
     $ldapUserProvider: '@security.user.provider.concrete.ldap_users'
     $entityUserProvider: '@security.user.provider.concrete.app_user_provider'
 
+  saml_user_factory:
+    alias: App\Security\Saml\AppSamlUserFactory
+    public: true
+
   legacy.route.handler:
     alias: App\Routes\Service\LegacyRouteHandler
     public: true

config/packages/security.php

@@ -178,6 +178,31 @@ return static function (ContainerConfigurator $containerConfig) {
 
     if ($authType === 'saml') {
 
+        $samlAutoCreate = $env['SAML_AUTO_CREATE'] ?? 'disabled';
+
+        $samlMainFirewallConfig = [
+            'context' => 'app_context',
+            'pattern' => '^/(?!auth)',
+            'saml' => [
+                'provider' => 'app_user_provider',
+                // Match SAML attribute 'uid' with username.
+                // Uses getNameId() method by default.
+                'username_attribute' => '%env(SAML_USERNAME_ATTRIBUTE)%',
+                'use_attribute_friendly_name' => '%env(bool:SAML_USE_ATTRIBUTE_FRIENDLY_NAME)%',
+                // Use the attribute's friendlyName instead of the name
+                'check_path' => 'saml_acs',
+                'login_path' => 'saml_login',
+                'always_use_default_target_path' => true
+            ],
+            'logout' => [
+                'path' => 'saml_logout'
+            ]
+        ];
+
+        if ($samlAutoCreate === 'enabled') {
+            $samlMainFirewallConfig['saml']['user_factory'] = 'saml_user_factory';
+        }
+
         $containerConfig->extension('security', [
             'providers' => [
                 'app_user_provider' => [
@@ -193,24 +218,7 @@ return static function (ContainerConfigurator $containerConfig) {
                 ],
             ],
             'firewalls' => array_merge_recursive($baseFirewall, [
-                'main' => [
-                    'context' => 'app_context',
-                    'pattern' => '^/(?!auth)',
-                    'saml' => [
-                        'provider' => 'app_user_provider',
-                        // Match SAML attribute 'uid' with username.
-                        // Uses getNameId() method by default.
-                        'username_attribute' => '%env(SAML_USERNAME_ATTRIBUTE)%',
-                        'use_attribute_friendly_name' => '%env(bool:SAML_USE_ATTRIBUTE_FRIENDLY_NAME)%',
-                        // Use the attribute's friendlyName instead of the name
-                        'check_path' => 'saml_acs',
-                        'login_path' => 'saml_login',
-                        'always_use_default_target_path' => true
-                    ],
-                    'logout' => [
-                        'path' => 'saml_logout'
-                    ]
-                ],
+                'main' => $samlMainFirewallConfig,
                 'auth' => [
                     'context' => 'app_context',
                     'pattern' => '^/auth',

config/services/saml/saml.yaml

@@ -0,0 +1,2 @@
+parameters:
+  saml.autocreate.attributes_map: