fix(sso): Add support for Microsoft Entra ID email verification claims by bogdanmariusc10 · Pull Request #4396 · IBM/mcp-context-forge

bogdanmariusc10 · 2026-04-22T14:22:02Z

🔗 Related Issue

📝 Summary

Adds support for Microsoft Entra ID (Azure AD) email verification claims to fix authentication failures for Entra ID users in RC2+.

Problem:
Microsoft Entra ID does not follow the OIDC standard for email verification:

Work/School accounts omit the email_verified claim entirely
B2B/External ID scenarios use non-standard claims: verified_primary_email and verified_secondary_email

This caused authentication to fail for organizations using Entra ID SSO, blocking upgrades from RC1 to RC2+.

Solution:
Extended email verification logic to support Microsoft-specific claims while maintaining backward compatibility:

Checks email_verified (standard OIDC) first
Falls back to verified_primary_email (Microsoft B2B/External ID)
Falls back to verified_secondary_email (Microsoft B2B/External ID)
Pass-through when no claims present (supports work/school accounts)

Impact:

Unblocks Entra ID users from upgrading to RC2+
Maintains security by blocking login when claims explicitly indicate unverified email
No breaking changes to existing SSO providers

🏷️ Type of Change

🧪 Verification

Check	Command	Status
Lint suite	`make lint`	✅ Pass
Unit tests	`make test`	✅ Pass
Coverage ≥ 80%	`make coverage`	✅ Pass

Test Coverage:

Added 10 new normalization tests for Microsoft claims
Added 13 new verification logic tests
All existing 318 tests continue to pass
Total: 341 tests passing

✅ Checklist

Code formatted (make black isort pre-commit)
Tests added/updated for changes
Documentation updated (if applicable)
No secrets or credentials committed

📓 Notes

Implementation Details:

Modified _is_email_verified_claim()
- Extended to check Microsoft-specific claims
- Maintains claim precedence: email_verified > verified_primary_email > verified_secondary_email
- Pass-through behavior when all claims absent
Modified _build_normalized_user_info()
- Propagates Microsoft claims to normalized user info
- Ensures verification status flows through authentication pipeline
Test Coverage:
- test_sso_user_normalization.py - Normalization scenarios
- test_sso_service.py - Claim verification logic

Claim Precedence Examples:

// Standard claim takes precedence
{
  "email_verified": true,
  "verified_primary_email": false
}
→ Result: Login allowed

// Primary takes precedence over secondary
{
  "verified_primary_email": true,
  "verified_secondary_email": false
}
→ Result: Login allowed

// No claims = pass-through (Entra work accounts)
{
  "email": "user@company.com"
}
→ Result: Login allowed

Security Considerations:

Explicit false values block login (provider flagged as unverified)
Maintains fail-closed behavior for security
No changes to existing provider behavior

Microsoft Entra ID (Azure AD) does not follow the OIDC standard for email verification and uses alternative claim names in different scenarios: - Work/School accounts: Omit email_verified claim entirely - B2B/External ID: Use verified_primary_email or verified_secondary_email This commit extends the email verification logic to support these Microsoft- specific claims while maintaining backward compatibility with standard OIDC. Changes: - Extended _is_email_verified_claim() to check verified_primary_email and verified_secondary_email claims in addition to standard email_verified - Updated _build_normalized_user_info() to propagate Microsoft claims - Added comprehensive test coverage for all claim scenarios - Maintains precedence: email_verified > verified_primary_email > verified_secondary_email Claim precedence ensures standard OIDC claims take priority, with Microsoft claims serving as fallbacks. Absence of all claims results in pass-through (allows login) to support providers that don't include verification status. Fixes authentication failures for Entra ID users in RC2+ while maintaining security by blocking login when any claim explicitly indicates unverified email (false/0/"false"). Test coverage: 341 tests pass including 23 new tests for Microsoft claims Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com>

Collapse the duplicated bool/int/str coercion ladder in ``_is_email_verified_claim`` and ``_build_normalized_user_info`` into a single ``_coerce_email_verified_claim`` helper driven by an ``_EMAIL_VERIFIED_CLAIMS`` precedence tuple. This removes the asymmetric fall-through for unrecognized Microsoft-claim value types (the policy is now symmetric and fail-secure across all three claims), eliminates a dead branch that duplicated the policy, and adds info / warning logs when a non-standard claim verifies an email or when an unrecognized claim type is rejected. The normalization step now stores ``email_verified`` as a coerced ``bool`` so downstream consumers cannot misread a raw ``"false"`` string as truthy. Signed-off-by: Jonathan Springer <jps@s390x.com>

#4396) * fix(auth): Add support for Microsoft Entra ID email verification claims Microsoft Entra ID (Azure AD) does not follow the OIDC standard for email verification and uses alternative claim names in different scenarios: - Work/School accounts: Omit email_verified claim entirely - B2B/External ID: Use verified_primary_email or verified_secondary_email This commit extends the email verification logic to support these Microsoft- specific claims while maintaining backward compatibility with standard OIDC. Changes: - Extended _is_email_verified_claim() to check verified_primary_email and verified_secondary_email claims in addition to standard email_verified - Updated _build_normalized_user_info() to propagate Microsoft claims - Added comprehensive test coverage for all claim scenarios - Maintains precedence: email_verified > verified_primary_email > verified_secondary_email Claim precedence ensures standard OIDC claims take priority, with Microsoft claims serving as fallbacks. Absence of all claims results in pass-through (allows login) to support providers that don't include verification status. Fixes authentication failures for Entra ID users in RC2+ while maintaining security by blocking login when any claim explicitly indicates unverified email (false/0/"false"). Test coverage: 341 tests pass including 23 new tests for Microsoft claims Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com> * refactor(sso): consolidate email-verification claim coercion Collapse the duplicated bool/int/str coercion ladder in ``_is_email_verified_claim`` and ``_build_normalized_user_info`` into a single ``_coerce_email_verified_claim`` helper driven by an ``_EMAIL_VERIFIED_CLAIMS`` precedence tuple. This removes the asymmetric fall-through for unrecognized Microsoft-claim value types (the policy is now symmetric and fail-secure across all three claims), eliminates a dead branch that duplicated the policy, and adds info / warning logs when a non-standard claim verifies an email or when an unrecognized claim type is rejected. The normalization step now stores ``email_verified`` as a coerced ``bool`` so downstream consumers cannot misread a raw ``"false"`` string as truthy. Signed-off-by: Jonathan Springer <jps@s390x.com> --------- Signed-off-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com> Signed-off-by: Jonathan Springer <jps@s390x.com> Co-authored-by: Bogdan-Marius-Catanus <bogdan-marius.catanus@ibm.com> Co-authored-by: Jonathan Springer <jps@s390x.com>

bogdanmariusc10 added this to the Release 1.0.0 milestone Apr 22, 2026

bogdanmariusc10 added the security Improves security label Apr 22, 2026

bogdanmariusc10 requested review from crivetimihai and kevalmahajan as code owners April 22, 2026 14:22

bogdanmariusc10 added the SHOULD P2: Important but not vital; high-value items that are not crucial for the immediate release label Apr 22, 2026

bogdanmariusc10 requested review from brian-hussey and madhav165 as code owners April 22, 2026 14:22

bogdanmariusc10 linked an issue Apr 22, 2026 that may be closed by this pull request

[BUG][AUTH]: Entra SSO blocked by email_verified claim requirement - support verified_primary_email/verified_secondary_email #4391

Closed

5 tasks

bogdanmariusc10 added api REST API Related item client-green client-green release-fix Critical bugfix required for the release labels Apr 22, 2026

Bogdan-Marius-Catanus and others added 2 commits April 22, 2026 21:35

jonpspri force-pushed the 4391-bugauth-entra-sso-blocked-by-email_verified-claim-requirement---support-verified_primary_emailverified_secondary_email branch from dc80fe4 to e4f3986 Compare April 23, 2026 06:56

jonpspri merged commit b938b29 into main Apr 23, 2026
28 checks passed

jonpspri deleted the 4391-bugauth-entra-sso-blocked-by-email_verified-claim-requirement---support-verified_primary_emailverified_secondary_email branch April 23, 2026 08:27

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(sso): Add support for Microsoft Entra ID email verification claims#4396

fix(sso): Add support for Microsoft Entra ID email verification claims#4396
jonpspri merged 2 commits intomainfrom
4391-bugauth-entra-sso-blocked-by-email_verified-claim-requirement---support-verified_primary_emailverified_secondary_email

bogdanmariusc10 commented Apr 22, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

bogdanmariusc10 commented Apr 22, 2026

🔗 Related Issue

📝 Summary

🏷️ Type of Change

🧪 Verification

✅ Checklist

📓 Notes

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants