Fix SAML: don't require AttributeStatement, use NameID for email

Google SAML often doesn't include AttributeStatement. Changes:
- Set wantAttributeStatement: False in security config
- Use NameID as email fallback when attributes are empty
- Check multiple attribute name variations for email/firstName/lastName

Bumped to 0.5.17

Author: matteius

django_forms_workflows/__init__.py

@@ -3,7 +3,7 @@
 Enterprise-grade, database-driven form builder with approval workflows
 """
 
-__version__ = "0.5.16"
+__version__ = "0.5.17"
 __author__ = "Django Forms Workflows Contributors"
 __license__ = "LGPL-3.0-only"
 

django_forms_workflows/sso_backends.py

@@ -290,6 +290,7 @@ def get_saml_config():
                 "wantAssertionsSigned": True,
                 "wantMessagesSigned": False,
                 "wantNameIdEncrypted": False,
+                "wantAttributeStatement": False,  # Don't require attributes (Google may not send them)
             },
         ),
     }

django_forms_workflows/sso_views.py

@@ -150,18 +150,43 @@ def post(self, request):
                 return HttpResponseBadRequest("SAML authentication failed")
 
             # Get user attributes from SAML response
-            attributes = auth.get_attributes()
+            # Note: Google SAML may not include AttributeStatement, so attributes may be empty
+            attributes = auth.get_attributes() or {}
             name_id = auth.get_nameid()
-            email = attributes.get("email", [name_id])[0]
+
+            # Try to get email from attributes, fall back to NameID
+            email = None
+            for attr_name in ["email", "Email", "emailAddress", "mail"]:
+                if attr_name in attributes and attributes[attr_name]:
+                    email = attributes[attr_name][0]
+                    break
+            if not email:
+                email = name_id  # NameID should be the email for Google SAML
+
+            if not email:
+                return HttpResponseBadRequest("SAML response missing email/NameID")
+
+            # Get first/last name from attributes if available
+            first_name = ""
+            for attr_name in ["firstName", "FirstName", "first_name", "givenName"]:
+                if attr_name in attributes and attributes[attr_name]:
+                    first_name = attributes[attr_name][0]
+                    break
+
+            last_name = ""
+            for attr_name in ["lastName", "LastName", "last_name", "sn", "surname"]:
+                if attr_name in attributes and attributes[attr_name]:
+                    last_name = attributes[attr_name][0]
+                    break
 
             # Find or create user
             user_model = get_user_model()
             user, created = user_model.objects.get_or_create(
                 email=email,
                 defaults={
                     "username": email.split("@")[0],
-                    "first_name": attributes.get("firstName", [""])[0],
-                    "last_name": attributes.get("lastName", [""])[0],
+                    "first_name": first_name,
+                    "last_name": last_name,
                 },
             )
 

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "django-forms-workflows"
-version = "0.5.16"
+version = "0.5.17"
 description = "Enterprise-grade, database-driven form builder with approval workflows and external data integration"
 license = "LGPL-3.0-only"
 readme = "README.md"