feat: add fallback idp/mdl attribute mapping

[keevan]

Used when the primary mapping does not match against any particular user. This can be used in the case where attributes used for id management are transitioned from one field to another, and allows for a gradual non-disruptive rollover.

New settings (below 'Case matching'):

The example used locally was against the idnumber field. Any other moodle field could work also, such as username, email, alt name.

Local env comments: To see the id number field, one needs to check the "ID Number" field here under the showuseridentity setting:

[Peterburnett]

@keevan I think we just need to do a bit of adjustment to the field updated function here:

https://github.com/catalyst/moodle-auth_saml2/blob/MOODLE_39_STABLE/classes/auth.php#L1030

When you get logged in via a secondary mapping, this would not update your primary field, and will emit some debugging. We should allow this overwrite in the cases where a secondary mapping is configured. Please update this and add a test for this scenario.

[michael-milette]

Hi @keevan ,

We are going through a migration at the moment where people are coming from a legacy LMS that did not use an SSO authentication service.

The first time they log in, SAML2 needs to match the email address and set the uid field. Subsequently, it needs to match on the uid field so that changes to email addresses don't disconnect the SAML2 account from the Moodle account. So, our primary would be the uid and secondary (fallback) would be email.

Your solution would meet our needs perfectly.

Any thoughts about when you can address @Peterburnett 's concern?

Best regards,

Michael