Skip to content

Add shared user SSO integration tests.#28090

Open
Yasasr1 wants to merge 1 commit into
masterfrom
add-shared-user-sso-tests
Open

Add shared user SSO integration tests.#28090
Yasasr1 wants to merge 1 commit into
masterfrom
add-shared-user-sso-tests

Conversation

@Yasasr1

@Yasasr1 Yasasr1 commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Purpose

Adding the integration tests

  • Shared user cross organization SSO when logged in via a shared app.
  • Shared user cross organization SSO when logged in via sub-organization apps.

Related issue

@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Summary

This PR introduces comprehensive integration test coverage for shared user cross-organization Single Sign-On (SSO) functionality in WSO2 Identity Server, addressing test requirements for issue #27371.

Changes

New Test Classes

SharedUserSharedAppCrossOrgSsoTestCase.java (545 lines)

  • Tests cross-organization SSO when authentication is initiated through a shared root application
  • Test flow:
    • Creates a root organization OIDC application (authorization code grant)
    • Creates two sub-organizations and shares the application with both
    • Creates a root organization user and shares it to both sub-organizations
    • Performs authorization and authentication at sub-organization 1
    • Verifies ID token validity and user identity
    • Confirms silent SSO (without re-authentication) when accessing sub-organization 2
    • Validates token endpoints and identity claims across organizations

SharedUserSubOrgAppCrossOrgSsoTestCase.java (526 lines)

  • Tests cross-organization SSO when authentication is initiated through sub-organization applications
  • Test flow:
    • Creates two sub-organizations with their own OIDC applications
    • Configures shared-user authentication sequence for each sub-organization application
    • Creates a root organization user and shares it to both sub-organizations
    • Performs authorization and authentication at sub-organization 1
    • Verifies ID token validity and user identity
    • Confirms SSO functionality when accessing sub-organization 2
    • Validates token endpoints and identity claims across organizations

Test Configuration Update

testng.xml

  • Registered both new test classes in the is-tests-default-configuration test suite

Test Coverage

Both test classes validate:

  • User authentication across organizational boundaries
  • Token exchange and validation
  • Cross-organization single sign-on functionality
  • ID token subject claim verification
  • Authorization code flow in multi-organization scenarios

Walkthrough

Two new TestNG integration test classes are added for cross-organization SSO scenarios. SharedUserSharedAppCrossOrgSsoTestCase creates a root OIDC application with enhanced-org-auth, shares it to two sub-organizations, creates a root user and shares the user to both sub-orgs, then validates first-factor login to sub-org 1 and silent SSO to sub-org 2 via org handle, asserting the ID-token sub claim matches the root user ID in both cases. SharedUserSubOrgAppCrossOrgSsoTestCase follows the same pattern but creates separate OIDC applications directly in each sub-organization rather than sharing a root app. Both classes include cleanup routines and helper methods for auth sequence construction, token exchange, JWT claim extraction, and exponential-backoff polling. Both classes are registered in testng.xml.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 4.88% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title directly and concisely summarizes the main change: adding shared user SSO integration tests, which aligns with the changeset adding two new test classes.
Description check ✅ Passed The description clearly relates to the changeset, outlining the two specific SSO test scenarios being added and referencing a related issue.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch add-shared-user-sso-tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/SharedUserSharedAppCrossOrgSsoTestCase.java`:
- Around line 160-171: The testDisableMultiAttributeLogin method disables the
multi-attribute login connector but never restores it, breaking test isolation
and potentially affecting other tests in the suite. Either capture the original
state of the MULTI_ATTRIBUTE_ENABLE_PROPERTY before disabling it in the
testDisableMultiAttributeLogin method and restore it afterward, or add cleanup
logic in an `@AfterClass` or `@After` method that explicitly re-enables the
MULTI_ATTRIBUTE_ENABLE_PROPERTY by setting its value back to "true" using the
identityGovernanceRestClient.updateConnectors call. This ensures the governance
setting is restored to its original state after the test completes.
- Around line 260-264: The filter expression in the userSearchReq object is
missing quotes around the userName value. In the line where the filter is set
with "userName eq " + ROOT_USER_USERNAME, the ROOT_USER_USERNAME value needs to
be wrapped in double quotes to comply with SCIM filter syntax. Modify the filter
string construction to include escaped double quotes around the
ROOT_USER_USERNAME variable so the filter becomes a properly quoted string
value.

In
`@modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/SharedUserSubOrgAppCrossOrgSsoTestCase.java`:
- Around line 163-172: The testDisableMultiAttributeLogin() method disables
multi-attribute login by setting MULTI_ATTRIBUTE_ENABLE_PROPERTY to false but
does not restore this configuration afterward, which breaks test isolation by
persisting the change across tests. Add cleanup code in the cleanupTest() method
to revert the MULTI_ATTRIBUTE_ENABLE_PROPERTY back to its original value (true)
using the same ConnectorsPatchReq and
identityGovernanceRestClient.updateConnectors approach, ensuring the
configuration state is properly restored after each test execution.
- Around line 243-247: The SCIM filter construction in the userSearchReq object
is missing quotes around the username value in the filter string. In the filter
parameter where "userName eq " is concatenated with ROOT_USER_USERNAME, wrap the
ROOT_USER_USERNAME variable with double quotes to ensure the SCIM filter syntax
is correct and the username is treated as a proper string literal value.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d067fcb5-9413-4eff-8be1-64fc332de371

📥 Commits

Reviewing files that changed from the base of the PR and between abe7fc0 and 7a8cb7a.

📒 Files selected for processing (3)
  • modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/SharedUserSharedAppCrossOrgSsoTestCase.java
  • modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/SharedUserSubOrgAppCrossOrgSsoTestCase.java
  • modules/integration/tests-integration/tests-backend/src/test/resources/testng.xml

Comment on lines +160 to +171
@Test(priority = 2, dependsOnMethods = "testInit")
public void testDisableMultiAttributeLogin() throws Exception {

ConnectorsPatchReq connectorPatchReq = new ConnectorsPatchReq();
connectorPatchReq.setOperation(ConnectorsPatchReq.OperationEnum.UPDATE);
PropertyReq enableProperty = new PropertyReq();
enableProperty.setName(MULTI_ATTRIBUTE_ENABLE_PROPERTY);
enableProperty.setValue("false");
connectorPatchReq.addProperties(enableProperty);
identityGovernanceRestClient.updateConnectors(ACCOUNT_MGT_CATEGORY_ID, MULTI_ATTRIBUTE_CONNECTOR_ID,
connectorPatchReq);
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Restore the multi-attribute-login connector state during teardown.

This test disables a shared governance setting but never restores it. That can affect later tests in the same suite and reduce isolation. Capture the original value (or explicitly re-enable in @AfterClass) and restore it.

Suggested fix
+    private String originalMultiAttributeLoginEnabled;
...
     public void testDisableMultiAttributeLogin() throws Exception {
+        // Read and cache current value before patch (via existing governance client helper if available).
+        // originalMultiAttributeLoginEnabled = ...;
         ConnectorsPatchReq connectorPatchReq = new ConnectorsPatchReq();
         connectorPatchReq.setOperation(ConnectorsPatchReq.OperationEnum.UPDATE);
         PropertyReq enableProperty = new PropertyReq();
         enableProperty.setName(MULTI_ATTRIBUTE_ENABLE_PROPERTY);
         enableProperty.setValue("false");
         connectorPatchReq.addProperties(enableProperty);
         identityGovernanceRestClient.updateConnectors(ACCOUNT_MGT_CATEGORY_ID, MULTI_ATTRIBUTE_CONNECTOR_ID,
                 connectorPatchReq);
     }
...
     public void cleanupTest() {
+        if (identityGovernanceRestClient != null) {
+            try {
+                ConnectorsPatchReq restorePatch = new ConnectorsPatchReq();
+                restorePatch.setOperation(ConnectorsPatchReq.OperationEnum.UPDATE);
+                PropertyReq enableProperty = new PropertyReq();
+                enableProperty.setName(MULTI_ATTRIBUTE_ENABLE_PROPERTY);
+                enableProperty.setValue(originalMultiAttributeLoginEnabled != null ?
+                        originalMultiAttributeLoginEnabled : "true");
+                restorePatch.addProperties(enableProperty);
+                identityGovernanceRestClient.updateConnectors(
+                        ACCOUNT_MGT_CATEGORY_ID, MULTI_ATTRIBUTE_CONNECTOR_ID, restorePatch);
+            } catch (Exception e) {
+                log.error("Failed to restore multi attribute login connector setting.", e);
+            }
+        }
         if (identityGovernanceRestClient != null) {
             try {
                 identityGovernanceRestClient.closeHttpClient();

Also applies to: 373-446

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/SharedUserSharedAppCrossOrgSsoTestCase.java`
around lines 160 - 171, The testDisableMultiAttributeLogin method disables the
multi-attribute login connector but never restores it, breaking test isolation
and potentially affecting other tests in the suite. Either capture the original
state of the MULTI_ATTRIBUTE_ENABLE_PROPERTY before disabling it in the
testDisableMultiAttributeLogin method and restore it afterward, or add cleanup
logic in an `@AfterClass` or `@After` method that explicitly re-enables the
MULTI_ATTRIBUTE_ENABLE_PROPERTY by setting its value back to "true" using the
identityGovernanceRestClient.updateConnectors call. This ensures the governance
setting is restored to its original state after the test completes.

Comment on lines +260 to +264
String userSearchReq = new JSONObject()
.put("schemas", new JSONArray().put("urn:ietf:params:scim:api:messages:2.0:SearchRequest"))
.put("attributes", new JSONArray().put("id"))
.put("filter", "userName eq " + ROOT_USER_USERNAME)
.toString();

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Quote the SCIM userName value in the filter expression.

The filter payload currently builds userName eq <value> without string quoting, which can cause shared-user polling to fail or become parser-dependent. Build it as a quoted value.

Suggested fix
-        String userSearchReq = new JSONObject()
+        String userSearchReq = new JSONObject()
                 .put("schemas", new JSONArray().put("urn:ietf:params:scim:api:messages:2.0:SearchRequest"))
                 .put("attributes", new JSONArray().put("id"))
-                .put("filter", "userName eq " + ROOT_USER_USERNAME)
+                .put("filter", "userName eq \"" + ROOT_USER_USERNAME + "\"")
                 .toString();
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
String userSearchReq = new JSONObject()
.put("schemas", new JSONArray().put("urn:ietf:params:scim:api:messages:2.0:SearchRequest"))
.put("attributes", new JSONArray().put("id"))
.put("filter", "userName eq " + ROOT_USER_USERNAME)
.toString();
String userSearchReq = new JSONObject()
.put("schemas", new JSONArray().put("urn:ietf:params:scim:api:messages:2.0:SearchRequest"))
.put("attributes", new JSONArray().put("id"))
.put("filter", "userName eq \"" + ROOT_USER_USERNAME + "\"")
.toString();
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/SharedUserSharedAppCrossOrgSsoTestCase.java`
around lines 260 - 264, The filter expression in the userSearchReq object is
missing quotes around the userName value. In the line where the filter is set
with "userName eq " + ROOT_USER_USERNAME, the ROOT_USER_USERNAME value needs to
be wrapped in double quotes to comply with SCIM filter syntax. Modify the filter
string construction to include escaped double quotes around the
ROOT_USER_USERNAME variable so the filter becomes a properly quoted string
value.

Comment on lines +163 to +172
public void testDisableMultiAttributeLogin() throws Exception {

ConnectorsPatchReq connectorPatchReq = new ConnectorsPatchReq();
connectorPatchReq.setOperation(ConnectorsPatchReq.OperationEnum.UPDATE);
PropertyReq enableProperty = new PropertyReq();
enableProperty.setName(MULTI_ATTRIBUTE_ENABLE_PROPERTY);
enableProperty.setValue("false");
connectorPatchReq.addProperties(enableProperty);
identityGovernanceRestClient.updateConnectors(ACCOUNT_MGT_CATEGORY_ID, MULTI_ATTRIBUTE_CONNECTOR_ID,
connectorPatchReq);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Revert the connector configuration change in teardown to preserve test isolation.

This class disables multi-attribute login but does not restore it. Persisting this change across tests can create order-dependent failures. Restore the previous value (or explicitly re-enable) in cleanupTest().

Also applies to: 360-426

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/SharedUserSubOrgAppCrossOrgSsoTestCase.java`
around lines 163 - 172, The testDisableMultiAttributeLogin() method disables
multi-attribute login by setting MULTI_ATTRIBUTE_ENABLE_PROPERTY to false but
does not restore this configuration afterward, which breaks test isolation by
persisting the change across tests. Add cleanup code in the cleanupTest() method
to revert the MULTI_ATTRIBUTE_ENABLE_PROPERTY back to its original value (true)
using the same ConnectorsPatchReq and
identityGovernanceRestClient.updateConnectors approach, ensuring the
configuration state is properly restored after each test execution.

Comment on lines +243 to +247
String userSearchReq = new JSONObject()
.put("schemas", new JSONArray().put("urn:ietf:params:scim:api:messages:2.0:SearchRequest"))
.put("attributes", new JSONArray().put("id"))
.put("filter", "userName eq " + ROOT_USER_USERNAME)
.toString();

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Fix SCIM filter construction by quoting the username value.

The current filter omits quotes around the userName string value, which can make shared-user polling brittle. Build the filter with a quoted literal.

Suggested fix
         String userSearchReq = new JSONObject()
                 .put("schemas", new JSONArray().put("urn:ietf:params:scim:api:messages:2.0:SearchRequest"))
                 .put("attributes", new JSONArray().put("id"))
-                .put("filter", "userName eq " + ROOT_USER_USERNAME)
+                .put("filter", "userName eq \"" + ROOT_USER_USERNAME + "\"")
                 .toString();
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@modules/integration/tests-integration/tests-backend/src/test/java/org/wso2/identity/integration/test/oauth2/SharedUserSubOrgAppCrossOrgSsoTestCase.java`
around lines 243 - 247, The SCIM filter construction in the userSearchReq object
is missing quotes around the username value in the filter string. In the filter
parameter where "userName eq " is concatenated with ROOT_USER_USERNAME, wrap the
ROOT_USER_USERNAME variable with double quotes to ensure the SCIM filter syntax
is correct and the username is treated as a proper string literal value.

@jenkins-is-staging

Copy link
Copy Markdown
Contributor

PR builder started
Link: https://github.com/wso2/product-is/actions/runs/28842618423

@jenkins-is-staging

Copy link
Copy Markdown
Contributor

PR builder completed
Link: https://github.com/wso2/product-is/actions/runs/28842618423
Status: success

@jenkins-is-staging jenkins-is-staging left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving the pull request based on the successful pr build https://github.com/wso2/product-is/actions/runs/28842618423

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants