feat(SAML): Support attributes with namespace (#8931)

Support Microsoft Entra ID (formaly Azure Active Directory) out of the box. They're sending `emailaddress` and `name` prefixed with the http://schemas.xmlsoap.org/ws/2005/05/identity/claims/ namespace. Map those to values we expect.
ParabolInc · Oct 6, 2023 · 4c29cd6 · 4c29cd6
1 parent 39063e0
commit 4c29cd6
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/packages/server/graphql/private/mutations/loginSAML.ts b/packages/server/graphql/private/mutations/loginSAML.ts
@@ -20,6 +20,11 @@ import standardError from '../../../utils/standardError'
 const serviceProvider = samlify.ServiceProvider({})
 samlify.setSchemaValidator(samlXMLValidator)
 
+const CLAIM_SPEC = {
+  'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress': 'email',
+  'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'displayname'
+}
+
 const getRelayState = (body: querystring.ParsedUrlQuery) => {
   let relayState = {} as SSORelayState
   try {
@@ -76,13 +81,13 @@ const loginSAML: MutationResolvers['loginSAML'] = async (
 
   const {extract} = loginResponse
   const {attributes, nameID: name} = extract
-  const caseInsensitiveAttributes = {} as Record<string, string | undefined>
-  Object.keys(attributes).forEach((key) => {
-    const lowercaseKey = key.toLowerCase()
-    const value = attributes[key]
-    caseInsensitiveAttributes[lowercaseKey] = String(value)
-  })
-  const {email: inputEmail, emailaddress, displayname} = caseInsensitiveAttributes
+  const normalizedAttributes = Object.fromEntries(
+    Object.entries(attributes).map(([key, value]) => {
+      const normalizedKey = CLAIM_SPEC[key as keyof typeof CLAIM_SPEC] ?? key.toLowerCase()
+      return [normalizedKey, String(value)]
+    })
+  )
+  const {email: inputEmail, emailaddress, displayname} = normalizedAttributes
   const preferredName = displayname || name
   const email = inputEmail?.toLowerCase() || emailaddress?.toLowerCase()
   if (!email) {