Default SSO roles support (#539)

dorsha · web-flow · commit b1be51370187 · 2025-03-28T12:36:14.000+03:00
diff --git a/descope/management/sso_settings.py b/descope/management/sso_settings.py
@@ -122,6 +122,7 @@ def __init__(
         idp_cert: str,
         attribute_mapping: Optional[AttributeMapping] = None,
         role_mappings: Optional[List[RoleMapping]] = None,
+        default_sso_roles: Optional[List[str]] = None,
         # NOTICE - the following fields should be overridden only in case of SSO migration, otherwise, do not modify these fields
         sp_acs_url: Optional[str] = None,
         sp_entity_id: Optional[str] = None,
@@ -131,6 +132,7 @@ def __init__(
         self.idp_cert = idp_cert
         self.attribute_mapping = attribute_mapping
         self.role_mappings = role_mappings
+        self.default_sso_roles = default_sso_roles
         self.sp_acs_url = sp_acs_url
         self.sp_entity_id = sp_entity_id
 
@@ -145,13 +147,15 @@ def __init__(
         idp_metadata_url: str,
         attribute_mapping: Optional[AttributeMapping] = None,
         role_mappings: Optional[List[RoleMapping]] = None,
+        default_sso_roles: Optional[List[str]] = None,
         # NOTICE - the following fields should be overridden only in case of SSO migration, otherwise, do not modify these fields
         sp_acs_url: Optional[str] = None,
         sp_entity_id: Optional[str] = None,
     ):
         self.idp_metadata_url = idp_metadata_url
         self.attribute_mapping = attribute_mapping
         self.role_mappings = role_mappings
+        self.default_sso_roles = default_sso_roles
         self.sp_acs_url = sp_acs_url
         self.sp_entity_id = sp_entity_id
 
@@ -548,6 +552,7 @@ def _compose_configure_saml_settings_body(
                 "roleMappings": SSOSettings._role_mapping_to_dict(
                     settings.role_mappings
                 ),
+                "defaultSSORoles": settings.default_sso_roles,
             },
             "redirectUrl": redirect_url,
             "domains": domains,
@@ -576,6 +581,7 @@ def _compose_configure_saml_settings_by_metadata_body(
                 "roleMappings": SSOSettings._role_mapping_to_dict(
                     settings.role_mappings
                 ),
+                "defaultSSORoles": settings.default_sso_roles,
             },
             "redirectUrl": redirect_url,
             "domains": domains,
diff --git a/tests/management/test_sso_settings.py b/tests/management/test_sso_settings.py
@@ -90,7 +90,7 @@ def test_load_settings(self):
             network_resp = mock.Mock()
             network_resp.ok = True
             network_resp.json.return_value = json.loads(
-                """{"tenant": {"id": "T2AAAA", "name": "myTenantName", "selfProvisioningDomains": [], "customAttributes": {}, "authType": "saml", "domains": ["lulu", "kuku"]}, "saml": {"idpEntityId": "", "idpSSOUrl": "", "idpCertificate": "", "idpMetadataUrl": "https://dummy.com/metadata", "spEntityId": "", "spACSUrl": "", "spCertificate": "", "attributeMapping": {"name": "name", "email": "email", "username": "", "phoneNumber": "phone", "group": "", "givenName": "", "middleName": "", "familyName": "", "picture": "", "customAttributes": {}}, "groupsMapping": [], "redirectUrl": ""}, "oidc": {"name": "", "clientId": "", "clientSecret": "", "redirectUrl": "", "authUrl": "", "tokenUrl": "", "userDataUrl": "", "scope": [], "JWKsUrl": "", "userAttrMapping": {"loginId": "sub", "username": "", "name": "name", "email": "email", "phoneNumber": "phone_number", "verifiedEmail": "email_verified", "verifiedPhone": "phone_number_verified", "picture": "picture", "givenName": "given_name", "middleName": "middle_name", "familyName": "family_name"}, "manageProviderTokens": false, "callbackDomain": "", "prompt": [], "grantType": "authorization_code", "issuer": ""}}"""
+                """{"tenant": {"id": "T2AAAA", "name": "myTenantName", "selfProvisioningDomains": [], "customAttributes": {}, "authType": "saml", "domains": ["lulu", "kuku"]}, "saml": {"idpEntityId": "", "idpSSOUrl": "", "idpCertificate": "", "defaultSSORoles": ["aa", "bb"], "idpMetadataUrl": "https://dummy.com/metadata", "spEntityId": "", "spACSUrl": "", "spCertificate": "", "attributeMapping": {"name": "name", "email": "email", "username": "", "phoneNumber": "phone", "group": "", "givenName": "", "middleName": "", "familyName": "", "picture": "", "customAttributes": {}}, "groupsMapping": [], "redirectUrl": ""}, "oidc": {"name": "", "clientId": "", "clientSecret": "", "redirectUrl": "", "authUrl": "", "tokenUrl": "", "userDataUrl": "", "scope": [], "JWKsUrl": "", "userAttrMapping": {"loginId": "sub", "username": "", "name": "name", "email": "email", "phoneNumber": "phone_number", "verifiedEmail": "email_verified", "verifiedPhone": "phone_number_verified", "picture": "picture", "givenName": "given_name", "middleName": "middle_name", "familyName": "family_name"}, "manageProviderTokens": false, "callbackDomain": "", "prompt": [], "grantType": "authorization_code", "issuer": ""}}"""
             )
             mock_get.return_value = network_resp
             resp = client.mgmt.sso.load_settings("T2AAAA")
@@ -101,6 +101,10 @@ def test_load_settings(self):
             self.assertEqual(
                 saml_settings.get("idpMetadataUrl", ""), "https://dummy.com/metadata"
             )
+            self.assertEqual(
+                saml_settings.get("defaultSSORoles", ""),
+                ["aa", "bb"],
+            )
             mock_get.assert_called_with(
                 f"{common.DEFAULT_BASE_URL}{MgmtV1.sso_load_settings_path}",
                 headers={
@@ -233,6 +237,7 @@ def test_configure_saml_settings(self):
                     idp_cert="cert",
                     sp_acs_url="http://spacsurl.com",
                     sp_entity_id="spentityid",
+                    default_sso_roles=["aa", "bb"],
                 ),
                 "https://redirect.com",
                 ["domain.com"],
@@ -261,6 +266,7 @@ def test_configure_saml_settings(self):
                         role_mappings=[RoleMapping(groups=["grp1"], role_name="rl1")],
                         sp_acs_url="http://spacsurl.com",
                         sp_entity_id="spentityid",
+                        default_sso_roles=["aa", "bb"],
                     ),
                     "https://redirect.com",
                     ["domain.com"],
@@ -293,6 +299,7 @@ def test_configure_saml_settings(self):
                         "roleMappings": [{"groups": ["grp1"], "roleName": "rl1"}],
                         "spACSUrl": "http://spacsurl.com",
                         "spEntityId": "spentityid",
+                        "defaultSSORoles": ["aa", "bb"],
                     },
                     "redirectUrl": "https://redirect.com",
                     "domains": ["domain.com"],
@@ -343,6 +350,7 @@ def test_configure_saml_settings_by_metadata(self):
                         role_mappings=[RoleMapping(groups=["grp1"], role_name="rl1")],
                         sp_acs_url="http://spacsurl.com",
                         sp_entity_id="spentityid",
+                        default_sso_roles=["aa", "bb"],
                     ),
                     "https://redirect.com",
                     ["domain.com"],
@@ -373,6 +381,7 @@ def test_configure_saml_settings_by_metadata(self):
                         "roleMappings": [{"groups": ["grp1"], "roleName": "rl1"}],
                         "spACSUrl": "http://spacsurl.com",
                         "spEntityId": "spentityid",
+                        "defaultSSORoles": ["aa", "bb"],
                     },
                     "redirectUrl": "https://redirect.com",
                     "domains": ["domain.com"],
