Fixes #608

Author: oharsta

server/src/main/java/invite/api/InvitationController.java

@@ -404,7 +404,7 @@ private void saveOAuth2AuthenticationToken(Authentication authentication,
         DefaultOidcUser existingTokenPrincipal = (DefaultOidcUser) existingToken.getPrincipal();
         //Claims of the tokenPrincipal are immutable, so we need to instantiate a new Map
         Map<String, Object> claims = new HashMap<>(existingTokenPrincipal.getClaims());
-        claims.putAll(manage.enrichInstitutionAdmin(user.getOrganizationGUID()));
+        claims.putAll(manage.enrichInstitutionAdmin(user.getOrganizationGUID(), claims));
         DefaultOidcUser oidcUser = new DefaultOidcUser(
                 existingToken.getAuthorities(),
                 existingTokenPrincipal.getIdToken(),

server/src/main/java/invite/manage/Manage.java

@@ -172,12 +172,22 @@ default List<GroupedProviders> getGroupedProviders(List<Role> requestedRoles) {
                 .toList();
     }
 
-    default Map<String, Object> enrichInstitutionAdmin(String organizationGUID) {
+    default Map<String, Object> enrichInstitutionAdmin(String organizationGUID, Map<String, Object> userClaims) {
         Map<String, Object> claims = new HashMap<>();
         claims.put(INSTITUTION_ADMIN, true);
         claims.put(ORGANIZATION_GUID, organizationGUID);
         List<Map<String, Object>> identityProviders = identityProvidersByInstitutionalGUID(organizationGUID);
-        claims.put(INSTITUTION, identityProviders.size() == 0 ? null : identityProviders.getFirst());
+        if (identityProviders.size() > 1) {
+            //try to find the IdP which entityID equals the authenticating authority of the user login
+            String authenticatingAuthority = (String) userClaims.get("authenticating_authority");
+            Map<String, Object> identityProvider = identityProviders.stream()
+                    .filter(idp -> idp.get("entityid").equals(authenticatingAuthority))
+                    .findFirst()
+                    .orElse(identityProviders.getFirst());
+            claims.put(INSTITUTION, identityProvider);
+        } else {
+            claims.put(INSTITUTION, identityProviders.isEmpty() ? null : identityProviders.getFirst());
+        }
         List<Map<String, Object>> applications = this.providersAllowedByIdPs(identityProviders);
         claims.put(APPLICATIONS, applications);
         return claims;

server/src/main/java/invite/security/CustomOidcUserService.java

@@ -66,7 +66,7 @@ public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2Authenticatio
         newClaims.put(ORGANIZATION_GUID, organizationGuid);
 
         if (institutionAdmin && StringUtils.hasText(organizationGuid)) {
-            Map<String, Object> manageClaims = manage.enrichInstitutionAdmin(organizationGuid);
+            Map<String, Object> manageClaims = manage.enrichInstitutionAdmin(organizationGuid, newClaims);
             newClaims.putAll(manageClaims);
         }
         optionalUser.ifPresent(user -> {

server/src/main/java/invite/security/UserHandlerMethodArgumentResolver.java

@@ -92,7 +92,7 @@ public User resolveArgument(MethodParameter methodParameter,
             User user = apiUsers.getFirst();
             if (StringUtils.hasText(organizationGUID)) {
                 //The overhead is needed / justified for API usage as this are stateless
-                addInstitutionAdminAttributes(user, organizationGUID);
+                addInstitutionAdminAttributes(user, organizationGUID, Map.of());
             }
             return user;
         } else {
@@ -138,7 +138,7 @@ public User resolveArgument(MethodParameter methodParameter,
                 String organizationGUID = user.getOrganizationGUID();
                 if (validImpersonation.get()) {
                     //The overhead for retrieving data from manage is justified when super_user is impersonating institutionAdmin
-                    addInstitutionAdminAttributes(user, organizationGUID);
+                    addInstitutionAdminAttributes(user, organizationGUID, attributes);
                 } else {
                     user.updateRemoteAttributes(attributes);
                 }
@@ -148,8 +148,8 @@ public User resolveArgument(MethodParameter methodParameter,
 
     }
 
-    private void addInstitutionAdminAttributes(User user, String organizationGUID) {
-        Map<String, Object> attributes = manage.enrichInstitutionAdmin(organizationGUID);
+    private void addInstitutionAdminAttributes(User user, String organizationGUID, Map<String, Object> claims) {
+        Map<String, Object> attributes = manage.enrichInstitutionAdmin(organizationGUID, claims);
         user.updateRemoteAttributes(attributes);
     }
 

server/src/main/resources/manage/saml20_idp.json

@@ -98,7 +98,8 @@
         "name:en": "EduID EN",
         "name:nl": "EduID NL",
         "OrganizationName:en": "SURF bv",
-        "logo:0:url": "https://static.surfconext.nl/media/idp/surfconext.png"
+        "logo:0:url": "https://static.surfconext.nl/media/idp/surfconext.png",
+        "coin:institution_guid": "ad93daef-0911-e511-80d0-005056956c1a"
       }
     }
   }

server/src/test/java/invite/api/ManageControllerTest.java

@@ -102,7 +102,7 @@ void identityProviders() throws Exception {
                 .get("/api/v1/manage/identity-providers")
                 .as(new TypeRef<>() {
                 });
-        assertEquals(2, result.size());
+        assertEquals(3, result.size());
     }
 
     @Test

server/src/test/resources/user-info.json

@@ -1,5 +1,6 @@
 {
   "eduperson_principal_name": "eduperson_principal_name",
+  "authenticating_authority": "http://mock-idp",
   "email": "email",
   "email_verified": true,
   "family_name": "Doe",