public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Backport 105046 to 12.0.1 (#105337)

Browse Source
This commit is contained in:
linoman
2025-05-13 18:29:35 +02:00
committed by GitHub
parent a1c1523a41
commit bf293c8ab6
2 changed files with 197 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/services/authn/authnimpl/sync/user_sync.go
+2 -2
View File
@@ -156,8 +156,8 @@ func (s *UserSync) ValidateUserProvisioningHook(ctx context.Context, id *authn.I
// Validate the provisioned user.ExternalUID with the authinfo.ExternalUID
if usr.IsProvisioned {
// The user is provisioned via SAML and the identity is empty, meaning this request is not from the SAML auth flow
if authInfo.AuthModule == login.SAMLAuthModule && authInfo.ExternalUID != "" && id.ExternalUID == "" {
// Allow non-SAML requests for SAML-provisioned users to proceed if incoming ExternalUID is empty (e.g. session access).
if authInfo.AuthModule == login.SAMLAuthModule && id.AuthenticatedBy != login.SAMLAuthModule && authInfo.ExternalUID != "" && id.ExternalUID == "" {
log.Debug("Skipping ExternalUID validation for non-SAML request to SAML-provisioned user")
return nil
}