From 5caea601680537802b02e016f7f8a6d365f3e2f4 Mon Sep 17 00:00:00 2001
From: Marco Dinis <marco.dinis@goteleport.com>
Date: Fri, 25 Oct 2024 15:52:28 +0100
Subject: [PATCH] Fix UserContext SSO detection in UI for Okta Users

Okta imported users are not being properly identified as SSO users.
Okta does not set any of the Users' identities and instead only sets the
User.Connector.CreatedBy field.

When building the UserContext, which is used by the WebUI, it was
returning `local` user type for Okta users.
---
 lib/web/ui/usercontext.go      |  3 ++-
 lib/web/ui/usercontext_test.go | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/lib/web/ui/usercontext.go b/lib/web/ui/usercontext.go
index 66677845338bc..e464bc0f0494d 100644
--- a/lib/web/ui/usercontext.go
+++ b/lib/web/ui/usercontext.go
@@ -104,7 +104,8 @@ func NewUserContext(user types.User, userRoles services.RoleSet, features proto.
 	authType := authLocal
 
 	// check for any SSO identities
-	isSSO := len(user.GetOIDCIdentities()) > 0 ||
+	isSSO := user.GetUserType() == types.UserTypeSSO ||
+		len(user.GetOIDCIdentities()) > 0 ||
 		len(user.GetGithubIdentities()) > 0 ||
 		len(user.GetSAMLIdentities()) > 0
 
diff --git a/lib/web/ui/usercontext_test.go b/lib/web/ui/usercontext_test.go
index cd1895fa2961e..18fab7d2c277c 100644
--- a/lib/web/ui/usercontext_test.go
+++ b/lib/web/ui/usercontext_test.go
@@ -68,6 +68,25 @@ func TestNewUserContext(t *testing.T) {
 	userContext, err = NewUserContext(user, roleSet, proto.Features{}, true, false)
 	require.NoError(t, err)
 	require.Equal(t, authSSO, userContext.AuthType)
+
+	// test sso auth type for users with the CreatedBy.Connector field set.
+	// Eg users import from okta do not have any <IdP>Identities, so the CreatedBy.Connector must be checked.
+	userCreatedExternally := &types.UserV2{
+		Metadata: types.Metadata{
+			Name: "root",
+		},
+		Status: types.UserStatusV2{
+			PasswordState: types.PasswordState_PASSWORD_STATE_SET,
+		},
+		Spec: types.UserSpecV2{
+			CreatedBy: types.CreatedBy{
+				Connector: &types.ConnectorRef{},
+			},
+		},
+	}
+	userContext, err = NewUserContext(userCreatedExternally, roleSet, proto.Features{}, true, false)
+	require.NoError(t, err)
+	require.Equal(t, authSSO, userContext.AuthType)
 }
 
 func TestNewUserContextCloud(t *testing.T) {