SAML reconcile lambda doesn't set user.username

simonchrz commented 12 months ago

Description

I've configured a SAMLv2 IdP on my fusionauth with LinkByEmail linking strategy.
the options for usernameClaim and emailClaim are set to SAML attribute
additionaly i've configured a SAML2 reconcile lambda to add other attributes to user.data
for some reason user.email is set correct, but user.username is always empty (even if i try to set it via lambda, too).
all other attributes are assigned correct
if i switch to LinkByUsername linking strategy the user.username is set correct, but user.email is not set
so it's somehow related to the linking strategy ?

Affects versions

fusionauth 1.47.1

Steps to reproduce

see description

Expected behavior

the user.username should be set to the configured (via usernameClaim) SAML attribute.

Screenshots/logs

10/13/2023 10:06:17 AM Z Linking strategy [LinkByEmail]
10/13/2023 10:06:17 AM Z Resolved email to [sso-user@test.com]
10/13/2023 10:06:17 AM Z Resolved username to [sso-user]
10/13/2023 10:06:17 AM Z Resolved unique Id to [sso-user@test.com]
10/13/2023 10:06:17 AM Z Identity provider returned a unique Id [sso-user@test.com].
10/13/2023 10:06:17 AM Z User with Id [ada6b17e-edaf-44ac-aa97-e75eb7b8ba7f] is linked to this external user.
10/13/2023 10:06:17 AM Z Invoke configured lambda with Id [3f44749c-5e0a-455e-b3ac-47f639350aaa]
10/13/2023 10:06:17 AM Z Updating user: 
{
  "active" : true,
  "connectorId" : "e3306678-a53a-4964-9040-1c96f36dda72",
  "data" : {
    "username" : "sso-user"
  },
  "email" : "sso-user@test.com",
  "firstName" : "SSO-User",
  "fullName" : "SSO-User Development",
  "id" : "ada6b17e-edaf-44ac-aa97-e75eb7b8ba7f",
  "insertInstant" : 1697191526559,
  "lastLoginInstant" : 1697191559379,
  "lastName" : "Development",
  "lastUpdateInstant" : 1697191559379,
  "memberships" : [ ],
  "mobilePhone" : "0175-321654",
  "passwordChangeRequired" : false,
  "passwordLastUpdateInstant" : 1697191526947,
  "preferredLanguages" : [ ],
  "registrations" : [ ],
  "tenantId" : "5ec72c82-8dd7-4091-95f6-63f69f043ea1",
  "twoFactor" : {
    "methods" : [ ],
    "recoveryCodes" : [ ]
  },
  "usernameStatus" : "ACTIVE",
  "verified" : true
}

function reconcile(user, registration, samlResponse) {
user.data.email = samlResponse.assertion.attributes['urn:mace:dir:attribute-def:email'][0];
  user.data.username = samlResponse.assertion.attributes['urn:mace:dir:attribute-def:samaccountname'][0];
  user.firstName = samlResponse.assertion.attributes['urn:mace:dir:attribute-def:firstname'][0];
  user.lastName = samlResponse.assertion.attributes['urn:mace:dir:attribute-def:lastname'][0];
  user.mobilePhone = samlResponse.assertion.attributes['urn:mace:dir:attribute-def:mobile'][0];
  user.fullName = user.firstName + ' ' + user.lastName;
registration.username = user.data.username;
  user.username = user.data.username;
  user.email = user.data.email;
}

simonchrz commented 12 months ago

i've just found this post https://fusionauth.io/community/forum/topic/2391/username-and-email-claims-aren-t-both-honoured-for-identity-providers/2 ...which suggests

to store the value that is delivered from the identity provider in the user.data.email claim

But i want the user to be able to login with email OR username, so i suppose both have to be set on user object ?

mooreds commented 11 months ago

@simonchrz

Is it fair to change the title of this to SAML reconcile lambda doesn't set user.username when user.email is provided?

FusionAuth / fusionauth-issues