Fix tines SAML mapping

mozilla-iam · Dec 19, 2024 · 64f11d2 · 64f11d2
1 parent 57960ed
commit 64f11d2
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 6 deletions.
diff --git a/tf/actions/samlMappings.js b/tf/actions/samlMappings.js
@@ -13,9 +13,11 @@ exports.onExecutePostLogin = async (event, api) => {
         'team_mzai',
         'team_mzvc'
         ];
-      const userGroups = event.user.metadata?.groups || [];
+      const userGroups = event.user.app_metadata?.groups || [];
       const selectGroups = tineGroups.filter(group => userGroups.includes(group));
-      api.samlResponse.setAttribute("groups", selectGroups);
+      api.samlResponse.setAttribute("http://sso.mozilla.com/claim/groups", selectGroups);
+      // DELETE the standard group claim
+      api.samlResponse.setAttribute("http://schemas.xmlsoap.org/claims/Group", null);
       break;
 
     case "wgh8S9GaE7sJ4i0QrAzeMxFXgWZYtB0l": // sage-intacct

diff --git a/tf/tests/samlMappings.test.js b/tf/tests/samlMappings.test.js
@@ -118,8 +118,8 @@ describe('Tines SAML tests', () => {
   test.each(clientIDs)('Ensure SAML configuration mappings for client %s', async (clientID) => {
     _event.client.client_id = clientID;
 
-    _event.user.metadata = {};
-    _event.user.metadata.groups = [
+    _event.user.app_metadata = {};
+    _event.user.app_metadata.groups = [
       'mozilliansorg_sec_tines-admin',
       'foo',
       'mozilliansorg_sec_tines-access',
@@ -132,15 +132,17 @@ describe('Tines SAML tests', () => {
     ];
 
     expectedSamlAttributes = {
-      "groups": [
+      "http://sso.mozilla.com/claim/groups": [
         'mozilliansorg_sec_tines-admin',
         'mozilliansorg_sec_tines-access',
         'team_moco',
         'team_mofo',
         'team_mzla',
         'team_mzai',
         'team_mzvc'
-    ]};
+      ],
+      "http://schemas.xmlsoap.org/claims/Group": null
+    };
 
     // Execute onExecutePostLogin
     await onExecutePostLogin(_event, api);