improve algorithm to fit for most cases

keep compatibility with our awkward front behavior revert complete_social_login which does not work reliabily
intuitem · Mar 7, 2025 · 59de9fd · 59de9fd
1 parent d2bb1da
commit 59de9fd
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 6 deletions.
diff --git a/backend/iam/sso/saml/views.py b/backend/iam/sso/saml/views.py
@@ -20,6 +20,7 @@
 )
 from allauth.socialaccount.providers.saml.views import AuthError as AllauthAuthError
 from allauth.socialaccount.helpers import complete_social_login
+from allauth.socialaccount.providers.saml.provider import SAMLProvider
 from allauth.utils import ValidationError
 from django.http import HttpRequest, HttpResponseRedirect
 from django.http.response import Http404
@@ -32,6 +33,8 @@
 from iam.sso.models import SSOSettings
 from iam.utils import generate_token
 
+DEFAULT_SAML_ATTRIBUTE_MAPPING_EMAIL = SAMLProvider.default_attribute_mapping["email"]
+
 logger = structlog.get_logger(__name__)
 
 
@@ -135,8 +138,15 @@ def dispatch(self, request, organization_slug):
             login.state["process"] = AuthProcess.LOGIN
             login.state["next"] = next_url
         try:
-            emails = auth.get_attribute('http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress')
-            emails.append(auth.get_nameid()) # just in case
+            attribute_mapping = provider.app.settings.get("attribute_mapping", {})
+            # our parameter is either:
+            #   - a list with attributes (normal case)
+            #   - a list with a comma-separated string of attributes (frontend non-optimal behavior)
+            email_attributes_string = attribute_mapping.get("email", [])
+            email_attributes = [item.strip() for y in email_attributes_string for item in y.split(",")] or DEFAULT_SAML_ATTRIBUTE_MAPPING_EMAIL
+            emails = [auth.get_attribute(x) or [] for x in email_attributes]
+            emails = [x for xs in emails for x in xs] # flatten
+            emails.append(auth.get_nameid()) # default behavior
             user = User.objects.get(email__in=emails)
             idp_first_names = auth.get_attribute("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname")
             idp_last_names = auth.get_attribute("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname")
@@ -149,7 +159,7 @@ def dispatch(self, request, organization_slug):
             pre_social_login(request, login)
             if request.user.is_authenticated:
                 get_account_adapter(request).logout(request)
-            complete_social_login(request, login)
+            login._accept_login(request) # complete_social_login not working
             record_authentication(request, login)
         except User.DoesNotExist as e:
             # NOTE: We might want to allow signup some day

diff --git a/frontend/messages/en.json b/frontend/messages/en.json
@@ -631,9 +631,9 @@
 	"SLOURL": "SLO URL",
 	"x509Cert": "x509 certificate",
 	"SPEntityID": "SP Entity ID",
-	"attributeMappingUID": "Attribute mapping UID",
-	"attributeMappingEmail": "Attribute mapping email",
-	"attributeMappingEmailVerified": "Attribute mapping email verified",
+	"attributeMappingUID": "UID attribute mapping",
+	"attributeMappingEmail": "Email attribute mapping",
+	"attributeMappingEmailVerified": "Email verified attribute mapping",
 	"allowRepeatAttributeName": "Allow repeat attribute name",
 	"allowSingleLabelDomains": "Allow single label domains",
 	"authnRequestSigned": "Authn request signed",