bradjones1 · alxbridge · Jun 20, 2018 · Jun 26, 2018
diff --git a/README.md b/README.md
@@ -38,6 +38,9 @@ module and as such does not, out of the box, provide any working functionality.
   sites configuration to allow Drupal to find the correct site configuration to
   use. If you do not have a `sites/sites.php` file (as is typical) Drupal will assume
   you are using the site defined at `sites/default`.
+- If you need custom code to execute on initial authentication or reauthentication,
+  implement the hooks `hook_saml_idp_login_completed` and `hook_saml_idp_reauthenticated`
+  in your modules.
 
 ## Copyright and License
 &copy; 2015-2018 by Brad Jones LLC. Licensed under GPL 2.

diff --git a/saml_idp.api.php b/saml_idp.api.php
@@ -0,0 +1,43 @@
+<?php
+
+/**
+ * @file
+ * Hook definitions for the saml_idp module.
+ */
+
+use Drupal\user\UserInterface;
+
+/**
+ * @addtogroup hooks
+ * @{
+ */
+
+ /**
+  * Alter user attributes passed in SAML responses.
+  *
+  * @param array $attributes
+  *   Associative array of attributes to be passed in the SAML response.
+  * @param UserInterface $user_entity
+  *   The user entity for the authenticated account
+  */
+ function hook_saml_idp_attributes_alter(&$attributes, UserInterface &$user_entity) {}
+
+ /**
+  * Perform an action when a user successfully authenticates through SAML.
+  *
+  * @param array $state
+  *   The state after the login has completed.
+  */
+ function hook_saml_idp_login_completed($state) {}
+
+ /**
+  * Perform an action when a user successfully reauthenticates through SAML.
+  *
+  * @param array $state
+  *   The state after the reauthentication has completed.
+  */
+ function hook_saml_idp_reauthenticated($state) {}
+
+/**
+ * @} End of "addtogroup hooks".
+ */
diff --git a/src/Auth/Source/External.php b/src/Auth/Source/External.php
@@ -249,7 +249,7 @@ public static function resume() {
      */
 
     $state['Attributes'] = $attributes;
-    SimpleSAML_Auth_Source::completeAuth($state);
+    self::completeAuth($state);
 
     /*
      * The completeAuth-function never returns, so we never get this far.
@@ -258,6 +258,35 @@ public static function resume() {
   }
 
 
+  /**
+   * {@inheritdoc}
+   */
+  public function reauthenticate(array &$state) {
+    parent::reauthenticate($state);
+    // Fire hook for custom login actions.
+    \Drupal::getContainer()->get('module_handler')->invokeAll('saml_idp_reauthenticated', [$state]);
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function completeAuth(&$state) {
+    assert('is_array($state)');
+    assert('array_key_exists("LoginCompletedHandler", $state)');
+
+    SimpleSAML_Auth_State::deleteState($state);
+
+    $func = $state['LoginCompletedHandler'];
+    assert('is_callable($func)');
+
+    // Fire hook for custom login actions
+    // (This function is otherwise identical to the parent)
+    \Drupal::getContainer()->get('module_handler')->invokeAll('saml_idp_login_completed', [$state]);
+
+    call_user_func($func, $state);
+    assert(FALSE);
+  }
+
   /**
    * This function is called when the user start a logout operation, for example
    * by logging out of a SP that supports single logout.