Probably redundant to tell you, but customizing SAML is at your own risk and should be avoided. And you might loose changes or the ability to upgrade in the future.
The module is already supposed to change the prinicpal key to lower case. At least the more recent versions are supposed to do this.
In ArtifactHandler.java:103 the action gets the principalValue from the assertion (response). On line 126 that same variable is passed into the function that actually gets the user and runs the custom login logic.
That should already setup the user with the appropriate values. The mapping of the additional assertions to user attributes is not changed to lower case though. If you use the options 'attribute mapping' / 'claim map' to map values to an attribute, the module does do a 1-to-1 copy. That is where the customLoginLogic comes in, if you want to mutate values before mapping them to an attribute only use them in the custom login logic.
The module does the following:
- getPrincipalFromAssertion .toLowerCase
- find a user
- if not found create a user
- if created set the user name and user role
- copy all additional assertion attributes to the user
- execute custom login logic
- commit and create a session
EDIT: I just noticed that in ArtifactHandler.java:89 there is another option for retrieving the principalValue, in this scenario we are not changing it to lowerCase. I'm guessing that you are using that option.
If your data allows for this, you could add a toLowerCase statement here. But make sure you check on null values before doing so.
userPrincipal = assertion.getNameID(); if( userPrincipal != null ) userPrincipal = userPrincipal.toLowerCase();
I'm not sure exactly how we're going to improve on this in a future release, it will likely become a configuration option.
I have come across issues with the SAML module. I also have users that have inconsistent capitalizations in their email addresses. When they’re first created, they come through and have the email (the admin.account.email field I’m using to map to) lowercase, even though their SAML email is capitalized. This is fine. The next time they hit it, it’s successful again, but THEN it updates this email field to the capitalized version (i.e. John.Doe@bla.com). Umm.. ok? Then the first time, they hit SAML, it errors out because the lower case converted email doesnt match the capitalized version I have.
I don’t know why but the SAML module is updating the user’s email with the capitalization. I’m not doing it anywhere. Why would it do this?