[AAP-47897] Use configured groups attribute in SAML authenticator (#797)

tznamena · web-flow · commit 59aaf99b72dd · 2025-08-17T16:19:55.000-06:00
SAML authenticator will use group attribute specified in the IDP configuration
rather than only expecting to find "Group" hard-coded attribute
diff --git a/ansible_base/authentication/authenticator_plugins/saml.py b/ansible_base/authentication/authenticator_plugins/saml.py
@@ -294,9 +294,21 @@ def extra_data(self, user, backend, response, *args, **kwargs):
             if perm in attrs:
                 kwargs["social"].extra_data[perm] = attrs[perm]
 
-        # Move group spec up a level if present
-        if "Group" in attrs:
-            response["Group"] = attrs["Group"]
+        # Get configured group attribute, if present
+        configuration = getattr(self.database_instance, 'configuration', {})
+        idp_groups_attribute_name = self.configuration_class.settings_to_enabled_idps_fields.get('IDP_GROUPS', None)
+        configured_groups_attribute = configuration.get('ENABLED_IDPS', {}).get(idp_string, {}).get(idp_groups_attribute_name, None)
+
+        if configured_groups_attribute in attrs:
+            logger.debug(f"Setting {self.groups_claim} from attribute: {configured_groups_attribute}")
+            response[self.groups_claim] = attrs[configured_groups_attribute]
+        # Else try getting the "Group" attribute, if present
+        elif self.groups_claim in attrs:
+            logger.debug(f"Setting {self.groups_claim} from attribute: {self.groups_claim}")
+            response[self.groups_claim] = attrs[self.groups_claim]
+        else:
+            logger.debug("Unable to get any group claims from the SAML response")
+
         data = super().extra_data(user, backend, response, *args, **kwargs)
 
         # Ideally we would always have a DB instance
diff --git a/test_app/tests/authentication/authenticator_plugins/test_saml.py b/test_app/tests/authentication/authenticator_plugins/test_saml.py
@@ -369,12 +369,30 @@ def __init__(self):
                 'attr_last_name': 'last_name',
                 'attr_first_name': 'first_name',
                 'attr_user_permanent_id': 'name_id',
+                'attr_groups': 'member',
             },
             {
                 'last_name': ['Admin'],
                 'username': ['gateway_admin'],
                 'first_name': ['Gateway'],
                 'name_id': 'gateway_admin',
+                'member': ['group-1', 'group-2'],
+            },
+        ),
+        (
+            {
+                'attr_username': 'username',
+                'attr_last_name': 'last_name',
+                'attr_first_name': 'first_name',
+                'attr_user_permanent_id': 'name_id',
+                'attr_groups': 'nonexistent_group_attr',  # Configure a group attribute that won't be in response
+            },
+            {
+                'last_name': ['Admin'],
+                'username': ['gateway_admin'],
+                'first_name': ['Gateway'],
+                'name_id': 'gateway_admin',
+                # No group data should be present - will hit the "Unable to get any group claims" branch
             },
         ),
     ],
@@ -403,6 +421,7 @@ def test_extra_data_default_attrs(idp_fields, expected_results):
             'first_name': ['Gateway'],
             'Role': ['default-roles-gateway realm', 'manage-account', 'uma_authorization', 'view-profile', 'offline_access', 'manage-account-links'],
             'name_id': 'gateway_admin',
+            'member': ['group-1', 'group-2'],
         },
     }
     au = AuthenticatorUser()
@@ -411,6 +430,51 @@ def test_extra_data_default_attrs(idp_fields, expected_results):
         assert results == expected_results
 
 
+def test_extra_data_no_group_claims_logging(caplog):
+    """Test that the 'Unable to get any group claims' logging is triggered when no group attributes are found."""
+    import logging
+
+    from ansible_base.authentication.authenticator_plugins.saml import idp_string
+    from ansible_base.authentication.models import AuthenticatorUser
+
+    ap = AuthenticatorPlugin()
+    database_instance = SimpleNamespace()
+    enabled_idps = {
+        'ENABLED_IDPS': {
+            idp_string: {
+                'attr_username': 'username',
+                'attr_user_permanent_id': 'name_id',
+                'attr_groups': 'missing_group_attr',  # This attribute won't be in the response
+            },
+        }
+    }
+    database_instance.configuration = enabled_idps
+    ap.database_instance = database_instance
+
+    response = {
+        'idp_name': 'IdP',
+        'attributes': {
+            'username': ['gateway_admin'],
+            'name_id': 'gateway_admin',
+            # Note: No 'missing_group_attr' and no default 'Group' attribute
+        },
+    }
+
+    au = AuthenticatorUser()
+
+    # Set logging level to DEBUG to capture the debug message
+    with caplog.at_level(logging.DEBUG, logger='ansible_base.authentication.authenticator_plugins.saml'):
+        with mock.patch('social_core.backends.saml.SAMLAuth.extra_data', return_value={}):
+            results = ap.extra_data(None, 'IdP:gateway_admin', response, **{'social': au})
+
+    # Verify the log message was captured
+    assert "Unable to get any group claims from the SAML response" in caplog.text
+
+    # Verify no group data in results
+    assert 'missing_group_attr' not in results
+    assert 'Group' not in results
+
+
 def test_saml_create_via_api_without_callback_url(admin_api_client, saml_configuration):
     del saml_configuration['CALLBACK_URL']
 
