Skip to content

Allow ADFS login for accounts without a SAML emailaddress#135

Merged
bshand merged 2 commits into
mainfrom
feature/fix_login_without_saml_emailaddress
Nov 27, 2024
Merged

Allow ADFS login for accounts without a SAML emailaddress#135
bshand merged 2 commits into
mainfrom
feature/fix_login_without_saml_emailaddress

Conversation

@bshand

@bshand bshand commented Nov 26, 2024

Copy link
Copy Markdown
Contributor

The PHE ADFS server now includes blank email addresses for (some?) ex @PhE staff. This PR ignores the emailaddress SAML field: the User object being updated on login, which was causing an error when a blank email address was being applied. Instead, users are identified by the upn (which contains their email address).

I've deployed this to the beta site before review, to confirm that it works.

@bshand bshand changed the base branch from develop to main November 26, 2024 21:13
@bshand bshand marked this pull request as draft November 26, 2024 21:21
@bshand bshand marked this pull request as ready for review November 27, 2024 11:03
@miles-smith

Copy link
Copy Markdown
Contributor

I think this is fine as long as we don't anticipate any new users to the system. That being said, with decommissioning on the horizon, I doubt it's worth worrying about such things.

For the sake of knowledge sharing, the email address claim is also referenced in config/initializers/ndr_authenticate.rb (config.saml_resource_locator = ...).

miles-smith
miles-smith previously approved these changes Nov 27, 2024
@bshand

bshand commented Nov 27, 2024

Copy link
Copy Markdown
Contributor Author

I think this is fine as long as we don't anticipate any new users to the system. That being said, with decommissioning on the horizon, I doubt it's worth worrying about such things.

For the sake of knowledge sharing, the email address claim is also referenced in config/initializers/ndr_authenticate.rb (config.saml_resource_locator = ...).

I've updated the PR: config/initializers/ndr_authenticate.rb now looks up users based on upn instead of emailaddress.

@bshand bshand force-pushed the feature/fix_login_without_saml_emailaddress branch from e5d0e49 to e5aab29 Compare November 27, 2024 14:52
@bshand

bshand commented Nov 27, 2024

Copy link
Copy Markdown
Contributor Author

I've now reverted to the previously approved version, which I'll merge now. Here are Miles's additional comments:

To be able to handle new users, I think we need to map the UPN claim to the email column in the users table (via config/attribute-map.yml) so as to satisfy presence validations and NOT NULL constraints on the email attribute/column.
I’m not sure if devise-saml-authenticatable will allow mapping one claim to multiple columns (e.g. email and upn) :thinking_face:
The additional code in saml_resource_locator is/was a fallback for existing DMS users who were signing in with PHE creds for the first time, where a user record wouldn’t have been found by object_guid lookup (Devise.saml_default_user_key) and would otherwise have ended up creating a duplicate account for the individual without the email lookup fallback. This is probably unlikely at this point in time and I mentioned it for the sake of completeness.

@bshand bshand merged commit 2e5a94a into main Nov 27, 2024
@bshand bshand deleted the feature/fix_login_without_saml_emailaddress branch November 27, 2024 14:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants