Alternative fix: ignore emailaddress in SAML attribute map

NHSDigital · Nov 27, 2024 · e5aab29 · e5aab29
1 parent 8bdf485
commit e5aab29
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 7 deletions.
diff --git a/config/attribute-map.yml b/config/attribute-map.yml
@@ -11,6 +11,10 @@ test:
 production:
   objectGuid: object_guid
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": upn
-  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": email
+  # The PHE ADFS server now includes blank email addresses for (some?) ex @phe staff.
+  # As an alternative to the below, we could write a saml_update_resource_hook that
+  # ignored blank email values, cf.
+  # https://github.com/apokalipto/devise_saml_authenticatable/tree/refs/heads/1.x-maintenance
+  # "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": email
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": first_name
   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": last_name
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
@@ -273,12 +273,7 @@
   config.saml_create_user = true
 
   # Update the attributes of the user after a successful login. (Default is false)
-  # config.saml_update_user = true
-  # The PHE ADFS server now includes blank email addresses for (some?) ex @phe staff.
-  # As an alternative to the below, we could write a saml_update_resource_hook that
-  # ignored blank email values, cf.
-  # https://github.com/apokalipto/devise_saml_authenticatable/tree/refs/heads/1.x-maintenance
-  config.saml_update_user = false
+  config.saml_update_user = true
 
   # Set the default user key. The user will be looked up by this key. Make
   # sure that the Authentication Response includes the attribute.