Merge pull request #29614 from overleaf/ii-domain-capture-mu-email-check

[web] Check email from SAML callback before enrollment page GitOrigin-RevId: 3c8224d42b87969290d5031a28d4ec217e875d84
2026-05-24 17:51:51 +02:00 · 2025-11-18 13:28:57 +02:00
parent d65f5a416c
commit e81ca06f9c
4 changed files with 55 additions and 15 deletions
--- a/services/web/app/src/Features/Errors/Errors.js
+++ b/services/web/app/src/Features/Errors/Errors.js
@@ -194,6 +194,8 @@ class SAMLRequestDeniedError extends SAMLAuthenticationError {
  }
 }

+class SAMLDomainCaptureManagedUserMissingEmailError extends OError {}
+
 class SAMLSessionDataMissing extends BackwardCompatibleError {
  constructor(arg) {
    super(arg)
@@ -377,6 +379,7 @@ module.exports = {
  SAMLResponseAlreadyProcessedError,
  SAMLRequestDeniedError,
  SAMLDomainCaptureRegisterError,
+  SAMLDomainCaptureManagedUserMissingEmailError,
  SLInV2Error,
  ThirdPartyIdentityExistsError,
  ThirdPartyUserNotFoundError,
--- a/services/web/frontend/extracted-translations.json
+++ b/services/web/frontend/extracted-translations.json
@@ -1514,6 +1514,7 @@
  "role": "",
  "rolling_texlive_build": "",
  "saml_auth_error": "",
+  "saml_email_not_in_account_error": "",
  "saml_identity_exists_error": "",
  "saml_invalid_signature_error": "",
  "saml_login_disabled_error": "",
--- a/services/web/locales/en.json
+++ b/services/web/locales/en.json
@@ -1967,6 +1967,7 @@
  "saml_authentication_required_error": "Other login methods have been disabled by your group administrator. Please use your group SSO login.",
  "saml_commons_unavailable": "Institution SSO is currently unavailable. For more details, please see <0>__linkText__</0>.",
  "saml_create_admin_instructions": "Choose an email address for the first __appName__ admin account. This should correspond to an account in the SAML system. You will then be asked to log in with this account.",
+  "saml_email_not_in_account_error": "Your identity provider returned __email__, which is not already on your current __appName__ account. You will need to log out and create a new __appName__ account with __email__ via the SSO log in page. Once this is done, you can <0>transfer your existing projects</0> to the new account.",
  "saml_email_not_recognized_error": "This email address isn’t set up for SSO. Please check it and try again or contact your administrator.",
  "saml_identity_exists_error": "Sorry, the identity returned by your identity provider is already linked with a different Overleaf account.  Please contact your administrator for more information.",
  "saml_invalid_signature_error": "Sorry, the information received from your identity provider has an invalid signature.  Please contact your administrator for more information.",
--- a/services/web/test/frontend/features/group-management/components/domain-capture.spec.tsx
+++ b/services/web/test/frontend/features/group-management/components/domain-capture.spec.tsx
@@ -83,24 +83,59 @@ describe('<DomainCapture />', function () {
    })
  })

-  it('renders institution error message', function () {
-    const errorMsg = 'Error message'
-    const notificationsInstitution = [
-      {
-        templateKey: 'notification_institution_sso_error',
-        error: {
-          message: errorMsg,
+  describe('notifications', function () {
+    it('renders missing email on account error message', function () {
+      const institutionEmail = 'email@example.com'
+      const notificationsInstitution = [
+        {
+          templateKey: 'notification_email_not_in_account',
+          institutionEmail,
        },
-      },
-    ]
-    cy.window().then(win => {
-      win.metaAttributesCache.set(
-        'ol-notificationsInstitution',
-        notificationsInstitution
+      ]
+      cy.window().then(win => {
+        win.metaAttributesCache.set(
+          'ol-notificationsInstitution',
+          notificationsInstitution
+        )
+      })
+      cy.mount(<DomainCapture />)
+
+      cy.findByRole('alert').should(
+        'contain.text',
+        `Your identity provider returned ${institutionEmail}, which ` +
+          `is not already on your current Overleaf account. You will need to ` +
+          `log out and create a new Overleaf account with ${institutionEmail} ` +
+          `via the SSO log in page. Once this is done, you can ` +
+          `transfer your existing projects to the new account.`
+      )
+      cy.findByRole('link', {
+        name: /transfer your existing projects/i,
+      }).should(
+        'have.attr',
+        'href',
+        '/learn/how-to/How_to_Transfer_Project_Ownership'
      )
    })
-    cy.mount(<DomainCapture />)

-    cy.findByRole('alert').should('contain.text', errorMsg)
+    it('renders institution error message', function () {
+      const errorMsg = 'Error message'
+      const notificationsInstitution = [
+        {
+          templateKey: 'notification_institution_sso_error',
+          error: {
+            message: errorMsg,
+          },
+        },
+      ]
+      cy.window().then(win => {
+        win.metaAttributesCache.set(
+          'ol-notificationsInstitution',
+          notificationsInstitution
+        )
+      })
+      cy.mount(<DomainCapture />)
+
+      cy.findByRole('alert').should('contain.text', errorMsg)
+    })
  })
 })