Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Try Vanilla Forums Cloud product

Ready to contribute?

Amazing! Sign our contributors' agreement and then join us on GitHub.

Update for critical security issue in PHPMailer included in release Vanilla 2.3.1
Please upgrade to 2.3 here. The 2.2 and earlier branches are no longer being updated.

Pass a set of roles from ProxyConnect SSO to vanilla

carlokokcarlokok New
edited April 2011 in Vanilla 2.0 - 2.2
Is it possible to pass a set of roles that should be applied to a given account during the SSO login? for example something like:


where it would remove the roles that aren't in the list and add the ones that are? The authentication url can return this info.


  • I've been trying to work out how to do this for a long time, and have not been able to find a hook that works consistently. Instead I push the role links to Vanilla from the CMS using a cron job. It is not ideal, but it works.

    The authentication page lists name/value pairs of data, and there are no restrictions on the additional data that you can add to this page. So in theory the roles can be passed across, but capturing them in any kind of custom code hooked into ProxyConnect is the the difficulty. I find that by the time the point is reached where the user is created, the additional data passed in through the authentication page is long gone.
  • carlokokcarlokok New
    edited April 2011
    what I did now is pass the Role in the authenticate. Then in


    public function Authenticate() {

    $UserEmail = ArrayValue('Email', $Response);
    + $Roles = ArrayValue('Roles', $Response);
    $UserName = ArrayValue('Name', $Response);
    $UserName = trim(preg_replace('/[^a-z0-9- ]+/i','',$UserName));
    $TransientKey = ArrayValue('TransientKey', $Response, NULL);
    // Validate remote credentials against local auth tables
    $AuthResponse = $this->ProcessAuthorizedRequest($Provider['AuthenticationKey'], $UserUnique, $UserName, $TransientKey, array(
    'Email' => $UserEmail,
    + 'Roles' => $Roles
    then in

    public function ProcessAuthorizedRequest($ProviderKey, $UserKey, $UserName = NULL, $ForeignNonce = NULL, $OptionalPayload = NULL) {

    if ($Association['UserID'] > 0) {
    // Retrieved an association which has been fully linked to a local user

    // We'll be tracked by Vanilla cookies now, so delete the Proxy cookie if it exists...
    + $Roles = $OptionalPayload["Roles"];
    + if ($Roles) {
    + $um = new UserModel();
    + $um->SaveRoles($Association['UserID'], $Roles);
    + }

    // Log the user in
    $this->SetIdentity($Association['UserID'], FALSE);
    // Check for a request token that needs to be converted to a
    Now this works; however it doesn't work the first time around, and I can't find a hook to place the initial roles (when the user is created).

    It is passed in the HMAC cookie, but where can I hook so it does this after it created the user so i can apply the new roles?
  • however it doesn't work the first time around
    Exactly what I found, and just could not see a way around it. That's why I resorted to a cron job to create very basic user records with the roles, and when the user logs in for the first time, the user account gets tidied up by Vanilla.

    If you can figure out this one, it would be a real benefit to this plugin. Ultimately, what ProxyConnect needs is hooks in the right place so that additional plugins can be written to handle roles, addresses, thumbnails, personal statements, accreditations etc. whatever people want to pull across from their CMS.
  • Indeed. However I don't know enough about this framework to know where to place something like this.
Sign In or Register to comment.