Unable to override standard claims_field_mappings, yaml configuration is appended instead.

[s-kerdel]

Hi there!

I have a simple question regarding the standard supplied claims_field_mappings which is provided by the SAMLMemberExtension. In our use case we are connected to an Azure AD instance.

The configuration of this case contains the following mapping since we only require the email address.

---
Name: mysamlsettings
After: '#samlsettings'
---
SilverStripe\SAML\Services\SAMLConfiguration:
  strict: true
  debug: false
  expect_binary_nameid: false
  allow_insecure_email_linking: true
  # security related SP / IdP and Security are removed since they do not involve this question.

SilverStripe\SAML\Extensions\SAMLMemberExtension:
  claims_field_mappings:
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Email'

The SAML authentication flow is now working as desired, but the following entries are added to the error log:

I would expect that, by overriding the claims_field_mappings, those errors should not appear.
When I debug the contents of Member::config()->claims_field_mappings it tells me that it contains the following claims:

'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname' => 'FirstName',
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname' => 'Surname',
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' => 'Email',
'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Email',

It looks like the claims_field_mappings on SAMLMemberExtension being a static variable is causing this issue. Whenever I remove the static from the assignment, my Member::config()->claims_field_mappings will look like:

'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Email',

Which would - in my theory resolve the errors I receive due to unassigned claims.

I've looked into the option to 'ignore' those specific warnings, which is not possible with a yaml configuration.
Please let me know what your thoughts are about this.

I am not looking into mapping those additional fields (yet).

Composer version(s):
SS4: SilverStripe framework v4.8
SAML: v2.1.2

[baukezwaan]

I think that's due to the way these yml-settings work with arrays, it is always appending - not overwriting.
See also: https://docs.silverstripe.org/en/5/developer_guides/configuration/configuration/#configuration-values

So you might want to try something like this:

---
Name: mysamlsettings
After: '#samlsettings'
---
SilverStripe\SAML\Extensions\SAMLMemberExtension:
  claims_field_mappings: null


---
Name: mysamlsettings_second
After: '#mysamlsettings'
---
SilverStripe\SAML\Services\SAMLConfiguration:
  strict: true
  debug: false
  expect_binary_nameid: false
  allow_insecure_email_linking: true
  # security related SP / IdP and Security are removed since they do not involve this question.

SilverStripe\SAML\Extensions\SAMLMemberExtension:
  claims_field_mappings:
    'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Email'

[s-kerdel]

Hey @baukezwaan,

I haven't had a reason to resolve the errors until now. I just tried your proposal, and this seems to solve the issue.
Somehow I would have imagined that some kind of setter / override would be a prettier solution, but for now this works.

Thanks!

P.s. I'm not quite sure if this resolves this ticket, I would think that other people could also be encountered with such case and there is no documentation in this SAML module about this (yet).