feat: [SAML] Allow to identify user by email - Meeds-io/meeds#1615 - E…

…XO-69432 Before this fix, SAML authentication require username as subject in the SAML assertion response. As for the login (in which we are able to log with username or email), we would propose to have the email as subject of the assertion.
Meeds-io · Feb 9, 2024 · a4df682 · a4df682
1 parent bccd32c
commit a4df682
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/...ml-plugin/src/main/java/org/gatein/sso/saml/plugin/valve/AbstractSPFormAuthenticator.java b/...ml-plugin/src/main/java/org/gatein/sso/saml/plugin/valve/AbstractSPFormAuthenticator.java
@@ -23,6 +23,10 @@
 import org.apache.catalina.connector.Response;
 import org.apache.catalina.realm.GenericPrincipal;
 import org.apache.tomcat.util.descriptor.web.LoginConfig;
+import org.exoplatform.commons.utils.ListAccess;
+import org.exoplatform.services.organization.Query;
+import org.exoplatform.services.organization.User;
+import org.exoplatform.services.organization.UserHandler;
 import org.picketlink.common.ErrorCodes;
 import org.picketlink.common.constants.GeneralConstants;
 import org.picketlink.common.constants.JBossSAMLConstants;
@@ -584,6 +588,8 @@ private boolean handleSAML2Response(Request request, Response response, LoginCon
         String username = principal.getName();
         String password = ServiceProviderSAMLContext.EMPTY_PASSWORD;
 
+        username = checkForEmail(username);
+
         roles.addAll(extractGateinRoles(username));
         if (logger.isTraceEnabled()) {
           logger.trace("Roles determined for username=" + username + "=" + Arrays.toString(roles.toArray()));
@@ -655,6 +661,8 @@ private boolean handleSAML2Response(Request request, Response response, LoginCon
     return localAuthentication(request, response, loginConfig);
   }
 
+
+
   private String getSAMLVersion(Request request) {
     String samlResponse = request.getParameter(GeneralConstants.SAML_RESPONSE_KEY);
     String version;
@@ -850,4 +858,27 @@ private boolean isAjaxRequest(Request request) {
     String requestedWithHeader = request.getHeader(GeneralConstants.HTTP_HEADER_X_REQUESTED_WITH);
     return requestedWithHeader != null && "XMLHttpRequest".equalsIgnoreCase(requestedWithHeader);
   }
+
+  private String checkForEmail(String username) {
+    //allow to use email as identifier in SAML assertion
+    //if username is an email, we read the related user, and return his username, if there is only one result with this email
+    try {
+      if (username.contains("@")) {
+        OrganizationService organizationService = PortalContainer.getInstance().getComponentInstanceOfType(OrganizationService.class);
+        UserHandler userHandler = organizationService.getUserHandler();
+        Query emailQuery = new Query();
+        emailQuery.setEmail(username);
+        ListAccess<User> users;
+        users = userHandler.findUsersByQuery(emailQuery);
+        if (users != null && users.getSize() == 1) {
+          return users.load(0, 1)[0].getUserName();
+        }
+      }
+    } catch (Exception e) {
+      logger.samlSPHandleRequestError(e);
+      return null;
+    }
+    return username;
+  }
+
 }