From a2900f78bd0d5ab26297c09d562e329a39a1fa21 Mon Sep 17 00:00:00 2001
From: Ray Lee <ray.lee@lyrasis.org>
Date: Mon, 27 Nov 2023 14:21:58 -0500
Subject: [PATCH] Handle SAML responses with multiple assertions.

---
 .../common/security/SecurityConfig.java       | 23 +++++++++++--------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java
index d2858b44d..c99c13a01 100644
--- a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java
+++ b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityConfig.java
@@ -558,20 +558,25 @@ public class SecurityConfig {
 							: null
 					);
 
-					Assertion assertion = responseToken.getResponse().getAssertions().get(0);
-					List<String> candidateUsernames = SecurityUtils.findSamlAssertionCandidateUsernames(assertion, assertionProbes);
+					List<String> attemptedUsernames = new ArrayList<>();
 
-					for (String candidateUsername : candidateUsernames) {
-						try {
-							CSpaceUser user = (CSpaceUser) userDetailsService.loadUserByUsername(candidateUsername);
+					for (Assertion assertion : responseToken.getResponse().getAssertions()) {
+						List<String> candidateUsernames = SecurityUtils.findSamlAssertionCandidateUsernames(assertion, assertionProbes);
 
-							return new CSpaceSaml2Authentication(user, authentication);
-						}
-						catch(UsernameNotFoundException e) {
+						for (String candidateUsername : candidateUsernames) {
+							try {
+								CSpaceUser user = (CSpaceUser) userDetailsService.loadUserByUsername(candidateUsername);
+
+								return new CSpaceSaml2Authentication(user, authentication);
+							}
+							catch(UsernameNotFoundException e) {
+							}
 						}
+
+						attemptedUsernames.addAll(candidateUsernames);
 					}
 
-					String errorMessage = "No CollectionSpace account was found for " + StringUtils.join(candidateUsernames, " / ") + ".";
+					String errorMessage = "No CollectionSpace account was found for " + StringUtils.join(attemptedUsernames, " / ") + ".";
 
 					throw(new UsernameNotFoundException(errorMessage));
 				}
-- 
2.47.3