ansible
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ci.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ansible_base/authentication/authenticator_plugins/azuread.py‎
Lines changed: 1 addition & 2 deletions b/‎ansible_base/authentication/authenticator_plugins/azuread.py‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎ansible_base/authentication/authenticator_plugins/ldap.py‎
Lines changed: 0 additions & 6 deletions b/‎ansible_base/authentication/authenticator_plugins/ldap.py‎
Lines changed: 0 additions & 6 deletions
diff --git a/‎ansible_base/authentication/authenticator_plugins/oidc.py‎
Lines changed: 1 addition & 1 deletion b/‎ansible_base/authentication/authenticator_plugins/oidc.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎ansible_base/authentication/authenticator_plugins/saml.py‎
Lines changed: 21 additions & 4 deletions b/‎ansible_base/authentication/authenticator_plugins/saml.py‎
Lines changed: 21 additions & 4 deletions
@@ -53,7 +53,7 @@ jobs:
       - name: Run tox
         run: |
           echo "::remove-matcher owner=python::"  # Disable annoying annotations from setup-python
-          tox -e ${{ matrix.tests.env }}
+          tox --colored yes -e ${{ matrix.tests.env }}
 
       - name: Inject PR number into coverage.xml
         if: matrix.tests.sonar
 
@@ -41,15 +41,14 @@ class AzureADConfiguration(BaseAuthenticatorConfiguration):
         help_text=_("The JSON key used to extract the user's groups from the ID token or userinfo endpoint."),
         required=False,
         allow_null=False,
-        default="Group",
+        default="groups",
         ui_field_label=_("Groups Claim"),
     )
 
     USERNAME_FIELD = CharField(
         help_text=_("The name of the field from the assertion to use as the username. If not set will default to name"),
         required=False,
         allow_null=True,
-        default=None,
         ui_field_label=_("Field to use as username"),
     )
 
 
@@ -1,6 +1,5 @@
 import inspect
 import logging
-import re
 from collections import OrderedDict
 from typing import Any
 
@@ -248,11 +247,6 @@ def validate_ldap_filter(value: Any, with_user: bool = False) -> None:
 
         dn_value = value.replace(user_search_string, 'USER')
 
-    # Check if this is an and/or filter with multiple subfilters
-    if re.match(r'^\([&|!]\(.*?\)\)$', dn_value):
-        for sub_filter in dn_value[3:-2].split(')('):
-            # We only need to check with_user at the top of the recursion stack
-            validate_ldap_filter(f'({sub_filter})', with_user=False)
     try:
         Filter.parse(dn_value)
     except ParseError:
 
@@ -124,7 +124,7 @@ class OpenIdConnectConfiguration(BaseAuthenticatorConfiguration):
 
     JWT_ALGORITHMS = ListField(
         help_text=_("The algorithm(s) for decoding JWT responses from the IDP."),
-        default=None,
+        default=OpenIdConnectAuth.JWT_ALGORITHMS,
         allow_null=True,
         validators=[JWTAlgorithmListFieldValidator()],
         ui_field_label=_('OIDC JWT Algorithm(s)'),
 
@@ -208,7 +208,12 @@ def validate(self, attrs):
             raise ValidationError(_("Failed to load config: %(e)s") % {"e": e})
 
         if invalid_security_settings:
-            raise ValidationError({'SECURITY_CONFIG': _("Invalid keys:) {', '.join(invalid_security_settings)}")})
+            raise ValidationError(
+                {
+                    'SECURITY_CONFIG': _("Invalid keys: %(keys)s, Valid keys: %(valid_keys)s")
+                    % {"keys": ', '.join(sorted(invalid_security_settings)), "valid_keys": ', '.join(sorted(valid_security_settings))}
+                }
+            )
 
         response = super().validate(attrs)
         return response
@@ -289,9 +294,21 @@ def extra_data(self, user, backend, response, *args, **kwargs):
             if perm in attrs:
                 kwargs["social"].extra_data[perm] = attrs[perm]
 
-        # Move group spec up a level if present
-        if "Group" in attrs:
-            response["Group"] = attrs["Group"]
+        # Get configured group attribute, if present
+        configuration = getattr(self.database_instance, 'configuration', {})
+        idp_groups_attribute_name = self.configuration_class.settings_to_enabled_idps_fields.get('IDP_GROUPS', None)
+        configured_groups_attribute = configuration.get('ENABLED_IDPS', {}).get(idp_string, {}).get(idp_groups_attribute_name, None)
+
+        if configured_groups_attribute in attrs:
+            logger.debug(f"Setting {self.groups_claim} from attribute: {configured_groups_attribute}")
+            response[self.groups_claim] = attrs[configured_groups_attribute]
+        # Else try getting the "Group" attribute, if present
+        elif self.groups_claim in attrs:
+            logger.debug(f"Setting {self.groups_claim} from attribute: {self.groups_claim}")
+            response[self.groups_claim] = attrs[self.groups_claim]
+        else:
+            logger.debug("Unable to get any group claims from the SAML response")
+
         data = super().extra_data(user, backend, response, *args, **kwargs)
 
         # Ideally we would always have a DB instance