using CAS attrinbutes to assign roles?

We introduced the authorizer_custom_role filter a few versions back that does this very thing. Here’s an example:
https://github.com/uhm-coe/authorizer/blob/master/readme.txt#L190-L207

You can hook into that and do an error_log( print_r( $user_data, true ) ); if you’re insure of what data your CAS server is returning.

In the future we plan on building a UI around the feature so this can be done in wp-admin Options page for the plugin, but I think that’s a ways off right now.

Here’s another real world example from one of our servers. All our university users can log in via CAS, and certain users have attributes provided via the Internet2 project Grouper. We detect these attributes and elevate those user’s roles:

/**
 * Filter the default role of the currently logging in user based on any of
 * their user attributes.
 *
 * @param string $default_role Default role of the currently logging in user.
 * @param array $user_data     User data returned from external service.
 */
function ohr_authorizer_custom_role( $default_role, $user_data ) {
  // Don't change role for administrators.
  if ( 'administrator' === $default_role ) {
    return $default_role;
  }

  // Assign UH Employee role to all CAS users by default.
  if ( isset( $user_data['cas_attributes'] ) ) {
    $default_role = 'uh_member';
  }

  // Assign custom roles to users with uhReleasedGrouping attributes.
  if ( isset( $user_data['cas_attributes']['uhReleasedGrouping'] ) ) {
    // Mapping for UH Grouping attributes to WordPress roles. If a user has
    // multiple UH Groupings, the last one in the array below takes precedence.
    $group_to_role_mapping = array( // UH Grouping => WordPress role
      'uh-employees-systemwide' => 'uh_employee',
      'hr-content-authorized' => 'ohr_hr_staff',
      'system-ohr-content-editors' => 'ohr_content_editor',
    );
    foreach ( $group_to_role_mapping as $group => $role ) {
      if ( $group === $user_data['cas_attributes']['uhReleasedGrouping'] || ( is_array( $user_data['cas_attributes']['uhReleasedGrouping'] ) && array_search( $group, $user_data['cas_attributes']['uhReleasedGrouping'] ) !== false ) ) {
        $default_role = $role;
      }
    }
  }

  return $default_role;
}
add_filter( 'authorizer_custom_role', 'ohr_authorizer_custom_role', 10, 2 );

• This reply was modified 7 years, 7 months ago by Paul Ryan.

We introduced the authorizer_custom_role filter a few versions back that does this very thing. Here’s an example:
https://github.com/uhm-coe/authorizer/blob/master/readme.txt#L190-L207

You can hook into that and do an error_log( print_r( $user_data, true ) ); if you’re insure of what data your CAS server is returning.

In the future we plan on building a UI around the feature so this can be done in wp-admin Options page for the plugin, but I think that’s a ways off right now.

Awesome, thanks so much. That’s nearly all I need, just have to figure out how to programmaticly assign multiple roles now. Maybe Members plugin?

What’s the best practice for adding a filter like this? Right now I have Code Snippets installed and I just created a snippet for it. Is there something better/more robust that I should be doing instead?

• This reply was modified 7 years, 7 months ago by dsusco.

Actually, Members isn’t needed at all. I’m able to find the user by login, iterate through the AD groups in the CAS attributes and add_role for each of them. The only caveat is this won’t work the first time the user logs in and their account is created. They’d have to log out and log back in to get the appropriate roles. I don’t think that’s a huge deal, but if anyone has thoughts on fixing it they’d be welcome.