Fix SAML JIT login failing when role attributes have empty values (#42874)

[juan-fdz-hawa]

Related issue: Fixes #42874

Empty, whitespace-only, and missing FLEET_JIT_USER_ROLE_* SAML attribute values are now treated as null (ignored) instead of returning an error, matching the literal "null" workaround.

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

Testing

• Added/updated automated tests
• QA'd all new/changed functionality manually

Summary by CodeRabbit

• Bug Fixes
  • Fixed SAML Just-In-Time user provisioning to properly handle empty or whitespace-only role attributes during SSO login. Warning logs are now emitted when role attributes are adjusted due to invalid values.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1813d8e9-e959-4f12-93b0-f2937602e74e

📥 Commits

Reviewing files that changed from the base of the PR and between c88599d and ea3fa50.

⛔ Files ignored due to path filters (1)

• docs/Deploy/single-sign-on-sso.md is excluded by !**/*.md

📒 Files selected for processing (4)

• changes/42874-saml-jit-empty-role-values
• ee/server/service/users.go
• server/fleet/sessions.go
• server/fleet/sessions_test.go

---

Walkthrough

This PR fixes SAML JIT provisioning login failures caused by empty or missing role attribute values. The fix updates RolesFromSSOAttributes and parseRole in server/fleet/sessions.go to treat empty/whitespace role values as the null sentinel instead of returning validation errors. The function now returns a third value—a list of coerced attribute names—allowing the service layer to log when coercion occurs. Service callers in ee/server/service/users.go are updated to handle the new return signature and emit warnings. Tests are expanded to validate coercion tracking and confirm that previously-failing empty-value cases now succeed.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main fix: treating empty SAML role attribute values as null to prevent JIT login failures.
Description check	✅ Passed	The description provides the related issue number, marks the changes file checkbox, indicates tests were added/updated, and confirms manual QA was performed. All critical sections are addressed.
Linked Issues check	✅ Passed	Changes comprehensively address #42874 requirements: RolesFromSSOAttributes signature updated, parseRole handles empty/whitespace values by returning ssoAttrNullRoleValue, coerced attributes are tracked and logged, and extensive test coverage validates all scenarios.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing SAML JIT role attribute handling: function signature updates, null coercion logic, warning logs, and comprehensive test updates. No unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 42874-saml-jit-provisioning-breaks-login-when-role-attributes-are-present-with-empty-values

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.74%. Comparing base (ed2b41b) to head (ea3fa50).
⚠️ Report is 13 commits behind head on main.

Files with missing lines	Patch %	Lines
ee/server/service/users.go	16.66%	8 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #45589      +/-   ##
==========================================
- Coverage   66.75%   66.74%   -0.02%     
==========================================
  Files        2740     2740              
  Lines      219199   219214      +15     
  Branches    10832    10832              
==========================================
- Hits       146331   146305      -26     
- Misses      59637    59683      +46     
+ Partials    13231    13226       -5     

Flag	Coverage Δ
backend	68.57% <66.66%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.