Implement SSO attributes de-duplication for email and names

cslzchen · cslzchen · commit 1a6efce50184 · 2025-09-10T09:56:58.000-04:00
diff --git a/api/institutions/authentication.py b/api/institutions/authentication.py
@@ -16,7 +16,8 @@
 from api.waffle.utils import flag_is_active
 
 from framework import sentry
-from framework.auth import get_or_create_institutional_user
+from framework.auth import get_or_create_institutional_user, deduplicate_sso_attributes
+from framework.auth.exceptions import MultipleSSOEmailError
 
 from osf import features
 from osf.exceptions import InstitutionAffiliationStateError
@@ -223,8 +224,13 @@ def authenticate(self, request):
                     f'sso_email={sso_email}, sso_identity={sso_identity}]',
                 )
 
+        # Deduplicate full name first if it is provided
+        if fullname:
+            fullname = deduplicate_sso_attributes(institution, sso_identity, 'fullname', fullname)
         # Use given name and family name to build full name if it is not provided
         if given_name and family_name and not fullname:
+            given_name = deduplicate_sso_attributes(institution, sso_identity, 'given_name', given_name)
+            family_name = deduplicate_sso_attributes(institution, sso_identity, 'family_name', family_name)
             fullname = given_name + ' ' + family_name
 
         # Non-empty full name is required. Fail the auth and inform sentry if not provided.
@@ -235,6 +241,21 @@ def authenticate(self, request):
             sentry.log_message(message)
             raise PermissionDenied(detail='InstitutionSsoMissingUserNames')
 
+        # Deduplicate sso email, currently we only handle duplicate sso email instead of multiple sso email
+        try:
+            sso_email = deduplicate_sso_attributes(
+                institution,
+                sso_identity,
+                'sso_email',
+                sso_email,
+                ignore_errors=False,
+            )
+        except MultipleSSOEmailError:
+            message = f'Institution SSO Error: multiple SSO email [sso_email={sso_email}, sso_identity={sso_identity}, institution={institution._id}]'
+            sentry.log_message(message)
+            logger.error(message)
+            # TODO: this requires a CAS hotfix to handle `detail='InstitutionMultipleSSOEmails'`
+            raise PermissionDenied(detail='InstitutionMultipleSSOEmails')
         # Attempt to find an existing user that matches the email(s) provided via SSO. Create a new one if not found.
         # If a user is found, it is possible that the user is inactive (e.g. unclaimed, disabled, unconfirmed, etc.).
         # If a new user is created, the user object is confirmed but not registered (i.e. inactive until registered).
diff --git a/framework/auth/__init__.py b/framework/auth/__init__.py
@@ -2,11 +2,11 @@
 
 from django.utils import timezone
 
-from framework import bcrypt
+from framework import bcrypt, sentry
 from framework.auth import signals
 from framework.auth.core import Auth
 from framework.auth.core import get_user, generate_verification_key
-from framework.auth.exceptions import DuplicateEmailError
+from framework.auth.exceptions import DuplicateEmailError, MultipleSSOEmailError
 from framework.auth.tasks import update_user_from_activity
 from framework.auth.utils import LogLevel, print_cas_log
 from framework.celery_tasks.handlers import enqueue_task
@@ -154,11 +154,26 @@ def get_or_create_institutional_user(fullname, sso_email, sso_identity, primary_
     # CASE 5/5: If no user is found, create a confirmed user and return the user and sso identity.
     # Note: Institution users are created as confirmed with a strong and random password. Users don't need the
     # password since they sign in via SSO. They can reset their password to enable email/password login.
-    user = OSFUser.create_confirmed(sso_email, str(uuid.uuid4()), fullname)
+    # user = OSFUser.create_confirmed(sso_email, str(uuid.uuid4()), fullname)
+    user = OSFUser.create_confirmed(sso_email, 'abCD12#$', fullname)
     user.add_system_tag(institution_source_tag(primary_institution._id))
     return user, True, None, None, sso_identity
 
 
+def deduplicate_sso_attributes(institution, sso_identity, attr_name, attr_value, delimiter=';', ignore_errors=True):
+    if delimiter not in attr_value:
+        return attr_value
+    value_set = set(attr_value.split(delimiter))
+    if len(value_set) != 1:
+        message = (f'Multiple values {attr_value} found for SSO attribute {attr_name}: '
+                   f'[institution_id={institution._id}, sso_identity={sso_identity}]')
+        if ignore_errors:
+            sentry.log_message(message)
+            return attr_value
+        raise MultipleSSOEmailError(message)
+    return value_set.pop()
+
+
 def get_or_create_user(fullname, address, reset_password=True, is_spam=False):
     """
     Get or create user by fullname and email address.
diff --git a/framework/auth/exceptions.py b/framework/auth/exceptions.py
@@ -65,3 +65,7 @@ class MergeConflictError(EmailConfirmTokenError):
     """Raised if a merge is not possible due to a conflict"""
     message_short = language.CANNOT_MERGE_ACCOUNTS_SHORT
     message_long = language.CANNOT_MERGE_ACCOUNTS_LONG
+
+
+class MultipleSSOEmailError(AuthError):
+    pass
