samlauth_restrict_to_ou

SAML Authentication Restrict to OU provides a security layer for the SAML Authentication module by restricting site access based on Organizational Unit (OU) attributes sent by the Identity Provider (IdP).

This module is specifically designed for Enterprise environments using Active Directory, allowing administrators to limit site access to specific departments or groups within a large organization without the overhead of managing individual Drupal roles for every user.

Features

• Restrict Login Toggle: A master switch that allows you to enable or disable the restriction logic globally without losing your settings.
• Distinguished Name (DN) Parsing: Automatically extracts multiple OU values from complex DN strings commonly sent by Active Directory (e.g., CN=user,OU=Marketing,OU=Users...).
• Strict Mode: Optionally require that a user belongs to all listed OUs rather than just one (AND vs OR logic).
• Customizable Access Denied Message: Control the exact message shown to rejected users, with support for basic HTML markup to ensure visibility.

Requirements

This module requires the SAML Authentication module.

Installation

Install as you would normally install a contributed Drupal module. For further information, see Installing Drupal Modules.

Configuration

The configuration form is located at:

/admin/config/people/saml-restrict

From the configuration form you can:

• Restrict Login to OUs: Enable the master toggle to begin enforcing restrictions.
• SAML Attribute Name: Set this to the attribute containing your OU data. In most AD setups, this is dn.
• Allowed OUs: Enter the names of authorized OUs, one per line (e.g., Staff, Faculty, Marketing). This check is case-insensitive to ensure reliable matching across directory updates. Do not include "ou=" prefixes.
• Strict Mode: Check this if a user must be a member of every OU listed to gain access.
• Access Denied Message: Customize the message displayed to users who are rejected. Basic HTML is supported.