Final fixes after testing with Entra ID. (#28987)

For #28196 Demo video of the full feature: https://youtu.be/7PM41LBsnig # Checklist for submitter - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Added/updated automated tests - [x] A detailed QA plan exists on the associated ticket (if it isn't there, work with the product group's QA engineer to add it) - [x] Manual QA for all new/changed functionality
2026-05-24 09:28:54 +00:00 · 2025-05-09 09:27:23 -05:00 · 2025-05-09 09:27:23 -05:00 · 023be30cef
commit 023be30cef
parent 33396a5d91
3 changed files with 24 additions and 5 deletions
--- a/server/datastore/mysql/scim.go
+++ b/server/datastore/mysql/scim.go
@ -142,7 +142,16 @@ func (ds *Datastore) ScimUserByUserNameOrEmail(ctx context.Context, userName str
 		return nil, notFound("scim user")
 	}

-	// Try to find the user by email
+	// Now, try to find the user by using the email as the userName
+	user, err := ds.ScimUserByUserName(ctx, email)
+	switch {
+	case err == nil:
+		return user, nil
+	case !fleet.IsNotFound(err):
+		return nil, ctxerr.Wrap(ctx, err, "select scim user by userName")
+	}
+
+	// Next, to find the user by email
 	const query = `
 		SELECT
 			scim_users.id, external_id, user_name, given_name, family_name, active, scim_users.updated_at
@ -152,7 +161,7 @@ func (ds *Datastore) ScimUserByUserNameOrEmail(ctx context.Context, userName str
 	`

 	var users []fleet.ScimUser
-	err := sqlx.SelectContext(ctx, ds.reader(ctx), &users, query, email)
+	err = sqlx.SelectContext(ctx, ds.reader(ctx), &users, query, email)
 	if err != nil {
 		return nil, ctxerr.Wrap(ctx, err, "select scim user by email")
 	}
--- a/server/datastore/mysql/scim_test.go
+++ b/server/datastore/mysql/scim_test.go
@ -1599,6 +1599,13 @@ func testScimUserByUserNameOrEmail(t *testing.T, ds *Datastore) {
 	assert.NotNil(t, err)
 	assert.True(t, fleet.IsNotFound(err))
 	assert.Nil(t, user)
+
+	// Test 7: Find user when email is used as userName
+	// This tests the case where the userName field contains an email address
+	user, err = ds.ScimUserByUserNameOrEmail(t.Context(), "nonexistent-username", "email-test-user1")
+	require.NoError(t, err)
+	assert.Equal(t, "email-test-user1", user.UserName)
+	assert.Equal(t, users[0].ID, user.ID)
 }

 func testScimUserReplaceValidation(t *testing.T, ds *Datastore) {
--- a/server/worker/apple_mdm.go
+++ b/server/worker/apple_mdm.go
@ -245,17 +245,20 @@ func (a *AppleMDM) getAppConfig(ctx context.Context, appConfig *fleet.AppConfig)
 }

 func (a *AppleMDM) getIdPDisplayName(ctx context.Context, acct *fleet.MDMIdPAccount, args appleMDMArgs) (string, error) {
-	if acct.Fullname != "" {
+	if acct.Fullname != "" && !strings.Contains(acct.Fullname, "@") {
 		return acct.Fullname, nil
 	}

-	// If full name is empty, see if it exists via SCIM integration
+	// If full name is empty or appears to be an email, see if it exists via SCIM integration
 	scimUser, err := a.Datastore.ScimUserByUserNameOrEmail(ctx, acct.Username, acct.Email)
 	switch {
 	case err != nil && !fleet.IsNotFound(err):
 		return "", ctxerr.Wrap(ctx, err, "getting scim user details for enroll reference %s and host_uuid %s", acct.UUID, args.HostUUID)
 	case scimUser == nil:
-		return "", nil
+		return acct.Fullname, nil
+	}
+	if scimUser.DisplayName() == "" {
+		return acct.Fullname, nil
 	}
 	return scimUser.DisplayName(), nil
 }