feat(docker-jans-saml): turn off profile update on first login

docker-jans-saml/Dockerfile

@@ -35,7 +35,7 @@ RUN wget -q https://jenkins.jans.io/maven/io/jans/kc-jans-spi/${CN_VERSION}/kc-j
 # Assets sync
 # ===========
 
-ENV JANS_SOURCE_VERSION=4b07e84a14df81899900724515f3eead1d579443
+ENV JANS_SOURCE_VERSION=9b4f5cfcd3742e5e7383bcb5b446019b8d35ad61
 ARG JANS_SETUP_DIR=jans-linux-setup/jans_setup
 
 # note that as we're pulling from a monorepo (with multiple project in it)

docker-jans-saml/scripts/configure_kc.py

@@ -236,7 +236,6 @@ def get_or_create_flow(self):
 
     def create_flow_executions(self, flow):
         def _create_execution(config_fn, flow, authenticator):
-            execution_id = ""
             executions = [
                 execution for execution in flow["authenticationExecutions"]
                 if execution["authenticator"] == authenticator
@@ -246,8 +245,8 @@ def _create_execution(config_fn, flow, authenticator):
                 if code != 0:
                     logger.warning(f"Unable to create execution specified in {config_fn}; reason={err.decode()}")
                 else:
-                    execution_id = err.decode().strip().split()[-1].strip("'").strip('"')
-            return execution_id
+                    return err.decode().strip().split()[-1].strip("'").strip('"')
+            return ""
 
         # create required executions
         _create_execution(f"{self.base_dir}/jans.execution-auth-cookie.json", flow, "auth-cookie")
@@ -314,6 +313,37 @@ def disable_verify_profile(self):
         if code != 0:
             logger.warning(f"Unable to disable VERIFY_PROFILE specified in {profile_config}; reason={err.decode()}")
 
+    def disable_first_login_update_profile(self):
+        auth_config = ""
+        profile_update_enabled = ""
+
+        # extract authenticator config
+        out, err, code = exec_cmd(f"{self.kcadm_script} get authentication/flows/first%20broker%20login/executions -r {self.ctx['jans_idp_realm']} --config {self.config_file}")
+
+        if code != 0:
+            logger.warning(f"Unable to get first broker login flows; reason={err.decode()}")
+        else:
+            for flow in json.loads(out.decode()):
+                if flow["displayName"] == "Review Profile":
+                    auth_config = flow["authenticationConfig"]
+                    break
+
+        # extract profile update config
+        if auth_config:
+            out, err, code = exec_cmd(f"{self.kcadm_script} get authentication/config/{auth_config} -r {self.ctx['jans_idp_realm']} --config {self.config_file}")
+
+            if code != 0:
+                logger.warning(f"Unable to get config {auth_config}; reason={err.decode()}")
+            else:
+                profile_update_enabled = json.loads(out.decode()).get("config", {}).get("update.profile.on.first.login", "")
+
+            if profile_update_enabled != "off":
+                auth_config_fn = f"{self.base_dir}/jans.update-authenticator-config.json"
+                out, err, code = exec_cmd(f"{self.kcadm_script} update authentication/config/{auth_config}  -f {auth_config_fn} -r {self.ctx['jans_idp_realm']} --config {self.config_file}")
+
+                if code != 0:
+                    logger.warning(f"Unable to update config {auth_config}; reason={err.decode()}")
+
 
 class MysqlKeycloak:
     def __init__(self):
@@ -430,6 +460,9 @@ def main():
 
             kc.create_flow_executions(flow)
 
+        kc.render_templates(templates=["jans.update-authenticator-config.json"])
+        kc.disable_first_login_update_profile()
+
         # grant privilege (if required)
         kc.grant_xa_transaction_privilege()