[19.0][IMP] auth_saml: user creation#925
Closed
vincent-hatakeyama wants to merge 78 commits into
Closed
Conversation
vincent-hatakeyama
force-pushed
the
feature/19.0/auth_saml/user-creation
branch
from
61667d2 to
1dbeee7
Compare
vincent-hatakeyama
force-pushed
the
feature/19.0/auth_saml/user-creation
branch
from
1dbeee7 to
b4e6d97
Compare
vincent-hatakeyama
force-pushed
the
feature/19.0/auth_saml/user-creation
branch
2 times, most recently
from
c4f486e to
3aece80
Compare
[IMP] Cleanup
The following line of code for 11.0: - https://github.com/odoo/odoo/blob/52d6f0e3ee90874fc93fec9cdff74ec71d3b991f/addons/auth_oauth/controllers/main.py#L69 is assigning the key "auth_link" for "list_providers" method. The following template is expecting this key: - https://github.com/odoo/odoo/blob/52d6f0e3ee90874fc93fec9cdff74ec71d3b991f/addons/auth_oauth/views/auth_oauth_templates.xml#L5 So, it raise a KeyError compiling "template_auth_oauth_providers_N" This change is fixing adding that expected key in order to avoid this KeyError
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: server-auth-11.0/server-auth-11.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-11-0/server-auth-11-0-auth_saml/
[FIX] dependencies
add requirement on lasso
- Default behavior is now to allow password and SAML together. Otherwise, users could keep getting their passwords removed without warning. - General cleanup. - Remove relations to field `password_crypt` because in v12 the `password` field is always encrypted instead. Co-Authored-By: Alexandre Díaz <alexandre.diaz@tecnativa.com>
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: server-auth-12.0/server-auth-12.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-12-0/server-auth-12-0-auth_saml/
Currently translated at 100.0% (89 of 89 strings) Translation: server-auth-18.0/server-auth-18.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_saml/fr/
To reproduce: enable both saml and mfa.
Fixes
```
File "/home/odoo/18.0/server-auth/auth_saml/controllers/main.py", line 251, in signin
resp = request.redirect(_get_login_redirect_url(auth_info, url), 303)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/odoo/18.0/odoo/addons/web/controllers/utils.py", line 240, in _get_login_redirect_url
url = request.env(user=uid)['res.users'].browse(uid)._mfa_url()
^^^^^^^^^^^^^^^^^^^^^
File "/home/odoo/18.0/odoo/odoo/api.py", line 644, in __call__
uid = self.uid if user is None else int(user)
^^^^^^^^^
```
cf. https://github.com/odoo/odoo/blob/65704e58fda293af727f76d5c0741b135817db99/addons/web/controllers/home.py#L124-L126
Co-authored-by: Cas Vissers <cas@360erp.nl>
The message is incorrect, the log is done when the attribute key is not found.
On Office365, what you get when configuring an application for SAML authentication is the URL of the federation metadata document. This URL is stable, but the content of the document is not. I suspect some of the encryption keys can be updated / renewed over time. The result is that the configured provider in Odoo suddenly stops working, because the messages sent by the Office365 provider can no longer be validated by Odoo (because the federation document is out of date). Downloading the new version and updating the auth.saml.provider record fixes the issue. This PR adds a new field to store the URL of the metadata document. When this field is set on a provider, you get a button next to it in the form view to download the document from the URL. The button will not update the document if it has not changed. Additionally, when a SignatureError happens, we check if downloading the document again fixes the issue.
Fix logic of SELECT FOR UDPDATE to only lock records whose metadata will be updated
When using mapping, not writing the value systematically avoids getting security mail on login/email changes when there is no change. Also use SQL for blanking passwords avoids the security update mails.
Currently translated at 100.0% (93 of 93 strings) Translation: server-auth-18.0/server-auth-18.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_saml/it/
- custom message when response is too old - avoid using werkzeug.urls method, they are deprecated - add missing ondelete cascade when user is deleted - attribute mapping is now also duplicated when the provider is duplicated - factorize getting SAML attribute value, allowing using subject.nameId in mapping attributes too - add an opton to reactivate user when finding an user and creation is enabled
vincent-hatakeyama
force-pushed
the
feature/19.0/auth_saml/user-creation
branch
from
3aece80 to
66b0ce0
Compare
vvrossem
reviewed
May 29, 2026
vvrossem
left a comment
vvrossem
left a comment
There was a problem hiding this comment.
To depend on #916 without adding the commits, add in a separate commit (e.g. [DO NOT MERGE] test-requirements.txt) test-requirements.txt with
odoo-addon-auth_saml @ git+https://github.com/OCA/server-auth.git@refs/pull/916/head#subdirectory=auth_saml
Hello @vincent-hatakeyama do you think you can handle this ⬆️ ? |
Contributor
Author
This won’t work as it is the same addon. I’d welcome any review on the migration PR and this one so that I can merge it. |
I might be wrong, but I think it should work. Here is an example using the same addon (i.e. |
Contributor
Author
|
Included in migration PR as original is merged. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goes after #916
Forward port of #695