Question

Case insensitive SAML username

0

I have implemented the SAML module, but in our login system, email addresses (which are the usernames) are pretty inconsistent in terms of lower/uppercase. Therefore, I would like to put the SAML username always to lowercase when a user signs in, but since the module is huge, I am wondering if anyone else can point me to the correct Java file to implement this change. Unfortunately, CustomLoginLogic is not the correct place, since this is only kicked of when a user is found in the database...

asked 2017-01-17

Remco Snijders

2 answers

Jasper van der Hoek · Answer 1 · 2017-01-17

Probably redundant to tell you, but customizing SAML is at your own risk and should be avoided. And you might loose changes or the ability to upgrade in the future.

The module is already supposed to change the prinicpal key to lower case. At least the more recent versions are supposed to do this.
In ArtifactHandler.java:103 the action gets the principalValue from the assertion (response). On line 126 that same variable is passed into the function that actually gets the user and runs the custom login logic.

That should already setup the user with the appropriate values. The mapping of the additional assertions to user attributes is not changed to lower case though. If you use the options 'attribute mapping' / 'claim map' to map values to an attribute, the module does do a 1-to-1 copy. That is where the customLoginLogic comes in, if you want to mutate values before mapping them to an attribute only use them in the custom login logic.

The module does the following:
- getPrincipalFromAssertion .toLowerCase
- find a user
- if not found create a user
- if created set the user name and user role
- copy all additional assertion attributes to the user
- execute custom login logic
- commit and create a session

EDIT: I just noticed that in ArtifactHandler.java:89 there is another option for retrieving the principalValue, in this scenario we are not changing it to lowerCase. I'm guessing that you are using that option.
If your data allows for this, you could add a toLowerCase statement here. But make sure you check on null values before doing so.

userPrincipal = assertion.getNameID();
if( userPrincipal != null )
	userPrincipal = userPrincipal.toLowerCase();

I'm not sure exactly how we're going to improve on this in a future release, it will likely become a configuration option.

Brian Lorraine · Answer 2 · 2020-10-27

I have come across issues with the SAML module. I also have users that have inconsistent capitalizations in their email addresses. When they’re first created, they come through and have the email (the admin.account.email field I’m using to map to) lowercase, even though their SAML email is capitalized. This is fine. The next time they hit it, it’s successful again, but THEN it updates this email field to the capitalized version (i.e. John.Doe@bla.com). Umm.. ok? Then the first time, they hit SAML, it errors out because the lower case converted email doesnt match the capitalized version I have.

I don’t know why but the SAML module is updating the user’s email with the capitalization. I’m not doing it anywhere. Why would it do this?