From: Ray Lee <ray.lee@lyrasis.org>
Date: Mon, 27 Nov 2023 19:21:58 +0000 (-0500)
Subject: Handle SAML responses with multiple assertions.
X-Git-Url: https://git.aero2k.de/?a=commitdiff_plain;h=a2900f78bd0d5ab26297c09d562e329a39a1fa21;p=tmp%2Fjakarta-migration.git

Handle SAML responses with multiple assertions.
---

diff --git a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java
index d2858b44d..c99c13a01 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java
@@ -558,20 +558,25 @@ public class SecurityConfig {
 							: null
 					);
 
-					Assertion assertion = responseToken.getResponse().getAssertions().get(0);
-					List<String> candidateUsernames = SecurityUtils.findSamlAssertionCandidateUsernames(assertion, assertionProbes);
+					List<String> attemptedUsernames = new ArrayList<>();
 
-					for (String candidateUsername : candidateUsernames) {
-						try {
-							CSpaceUser user = (CSpaceUser) userDetailsService.loadUserByUsername(candidateUsername);
+					for (Assertion assertion : responseToken.getResponse().getAssertions()) {
+						List<String> candidateUsernames = SecurityUtils.findSamlAssertionCandidateUsernames(assertion, assertionProbes);
 
-							return new CSpaceSaml2Authentication(user, authentication);
-						}
-						catch(UsernameNotFoundException e) {
+						for (String candidateUsername : candidateUsernames) {
+							try {
+								CSpaceUser user = (CSpaceUser) userDetailsService.loadUserByUsername(candidateUsername);
+
+								return new CSpaceSaml2Authentication(user, authentication);
+							}
+							catch(UsernameNotFoundException e) {
+							}
 						}
+
+						attemptedUsernames.addAll(candidateUsernames);
 					}
 
-					String errorMessage = "No CollectionSpace account was found for " + StringUtils.join(candidateUsernames, " / ") + ".";
+					String errorMessage = "No CollectionSpace account was found for " + StringUtils.join(attemptedUsernames, " / ") + ".";
 
 					throw(new UsernameNotFoundException(errorMessage));
 				}