diff --git a/packages/backend/src/server/sso/JWTIdentifyProviderService.ts b/packages/backend/src/server/sso/JWTIdentifyProviderService.ts index c639bec91d..9069c24fdf 100644 --- a/packages/backend/src/server/sso/JWTIdentifyProviderService.ts +++ b/packages/backend/src/server/sso/JWTIdentifyProviderService.ts @@ -171,11 +171,11 @@ export class JWTIdentifyProviderService { const roles = await this.roleService.getUserRoles(user.id); const payload: JWTPayload = { - name: user.name, + name: user.name ?? user.username, preferred_username: user.username, profile: `${this.config.url}/@${user.username}`, - picture: user.avatarUrl, - email: profile.email, + picture: user.avatarUrl ?? undefined, + email: profile.emailVerified ? profile.email : undefined, email_verified: profile.emailVerified, mfa_enabled: profile.twoFactorEnabled, updated_at: Math.floor((user.updatedAt?.getTime() ?? user.createdAt.getTime()) / 1000), diff --git a/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts b/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts index 2a07e4a123..fef53a5e00 100644 --- a/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts +++ b/packages/backend/src/server/sso/SAMLIdentifyProviderService.ts @@ -477,16 +477,9 @@ export class SAMLIdentifyProviderService { '#text': ssoServiceProvider.issuer, }, 'saml:Subject': { - 'saml:NameID': [ - { - '@Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', - '#text': profile.email, - }, - { - '@Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', - '#text': user.id, - }, - ], + 'saml:NameID': profile.emailVerified + ? { '@Format': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', '#text': profile.email } + : { '@Format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', '#text': user.id }, 'saml:SubjectConfirmation': { '@Method': 'urn:oasis:names:tc:SAML:2.0:cm:bearer', 'saml:SubjectConfirmationData': { @@ -541,7 +534,7 @@ export class SAMLIdentifyProviderService { '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', 'saml:AttributeValue': { '@xsi:type': 'xs:string', - '#text': user.name, + '#text': user.name ?? user.username, }, }, { @@ -568,30 +561,32 @@ export class SAMLIdentifyProviderService { '#text': `${this.config.url}/@${user.username}`, }, }, - { + ...(user.avatarUrl ? [{ '@Name': 'picture', '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', 'saml:AttributeValue': { '@xsi:type': 'xs:string', '#text': user.avatarUrl, }, - }, - { - '@Name': 'mail', - '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', - 'saml:AttributeValue': { - '@xsi:type': 'xs:string', - '#text': profile.email, + }] : []), + ...(profile.emailVerified ? [ + { + '@Name': 'mail', + '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', + 'saml:AttributeValue': { + '@xsi:type': 'xs:string', + '#text': profile.email, + }, }, - }, - { - '@Name': 'email', - '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', - 'saml:AttributeValue': { - '@xsi:type': 'xs:string', - '#text': profile.email, + { + '@Name': 'email', + '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic', + 'saml:AttributeValue': { + '@xsi:type': 'xs:string', + '#text': profile.email, + }, }, - }, + ] : []), { '@Name': 'email_verified', '@NameFormat': 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic',