Invitations story needs a lot more tests.

login/src/main/java/org/cloudfoundry/identity/uaa/login/saml/LoginSamlAuthenticationProvider.java

@@ -221,7 +221,7 @@ public MultiValueMap<String, String> retrieveUserAttributes(SamlIdentityProvider
     protected UaaUser createIfMissing(UaaPrincipal samlPrincipal, boolean addNew, Collection<? extends GrantedAuthority> authorities, MultiValueMap<String, String> userAttributes) {
         UaaUser user = null;
         String invitedUserId = null;
-        boolean is_invitation_acceptance = (boolean) RequestContextHolder.currentRequestAttributes().getAttribute("IS_INVITE_ACCEPTANCE", RequestAttributes.SCOPE_SESSION);
+        boolean is_invitation_acceptance = isAcceptedInvitationAuthentication();
         if (is_invitation_acceptance) {
             invitedUserId = (String) RequestContextHolder.currentRequestAttributes().getAttribute("user_id", RequestAttributes.SCOPE_SESSION);
             user = userDatabase.retrieveUserById(invitedUserId);
@@ -280,6 +280,16 @@ protected UaaUser createIfMissing(UaaPrincipal samlPrincipal, boolean addNew, Co
         return user;
     }
 
+    protected boolean isAcceptedInvitationAuthentication() {
+        try {
+            return (boolean) RequestContextHolder.currentRequestAttributes().getAttribute("IS_INVITE_ACCEPTANCE", RequestAttributes.SCOPE_SESSION);
+        } catch (IllegalStateException x) {
+            //nothing bound on thread.
+            logger.debug("Unable to retrieve request attributes during SAML authentication.");
+            return false;
+        }
+    }
+
     protected UaaUser getUser(UaaPrincipal principal, MultiValueMap<String,String> userAttributes) {
         String name = principal.getName();
         String email = userAttributes.getFirst(EMAIL_ATTRIBUTE_NAME);

uaa/src/test/java/org/cloudfoundry/identity/uaa/login/InvitationsServiceMockMvcTests.java

@@ -110,7 +110,7 @@ public String getAdminToken() {
     }
 
     public ZoneScimInviteData createZoneForInvites() throws Exception {
-        IdentityZoneCreationResult zone = utils().createOtherIdentityZoneAndReturnResult(generator.generate(), getMockMvc(), getWebApplicationContext(), null);
+        IdentityZoneCreationResult zone = utils().createOtherIdentityZoneAndReturnResult(generator.generate().toLowerCase(), getMockMvc(), getWebApplicationContext(), null);
         BaseClientDetails appClient = new BaseClientDetails("app","","scim.invite", "client_credentials,password,authorization_code","uaa.admin,clients.admin,scim.write,scim.read,scim.invite",REDIRECT_URI);
         appClient.setClientSecret("secret");
         appClient = utils().createClient(getMockMvc(), zone.getZoneAdminToken(), appClient, zone.getIdentityZone());
@@ -333,10 +333,10 @@ public void invite_ldap_users_verifies_and_redirects() throws Exception {
                 .header("Host", zone.getZone().getIdentityZone().getSubdomain() + ".localhost")
         );
         actions
-            .andExpect(status().isFound())
-            .andExpect(redirectedUrl(REDIRECT_URI));
+            .andExpect(status().isOk())
+            .andExpect(content().string(containsString("Email: "+email)));
 
-        assertTrue("LDAP user should be verified after accepting invite", queryUserForField(email, "verified", Boolean.class));
+        assertFalse("LDAP user should not be verified after accepting invite until logging in", queryUserForField(email, "verified", Boolean.class));
     }
 
     @Test
@@ -357,19 +357,25 @@ public void invite_saml_user_will_redirect_upon_accept() throws Exception {
         assertFalse("User should not be verified", queryUserForField(email, "verified", Boolean.class));
         assertEquals(originKey, queryUserForField(email, Origin.ORIGIN, String.class));
 
-
+        //should redirect to saml provider
         getMockMvc().perform(
             get("/invitations/accept")
                 .param("code", code)
                 .accept(MediaType.TEXT_HTML)
                 .header("Host", zone.getZone().getIdentityZone().getSubdomain() + ".localhost")
         )
             .andExpect(status().is3xxRedirection())
-            .andExpect(redirectedUrl(REDIRECT_URI));
+            .andExpect(
+                redirectedUrl(
+                    String.format("/saml/discovery?returnIDParam=idp&entityID=%s.cloudfoundry-saml-login&idp=%s&isPassive=true",
+                                  zone.getZone().getIdentityZone().getId(),
+                                  originKey)
+                )
+            );
 
 
         assertEquals(provider.getOriginKey(), queryUserForField(email, Origin.ORIGIN, String.class));
-        assertTrue("Saml user should be verified after clicking on the accept link", queryUserForField(email, "verified", Boolean.class));
+        assertFalse("Saml user should not yet be verified after clicking on the accept link", queryUserForField(email, "verified", Boolean.class));
     }
 
     protected IdentityProvider createIdentityProvider(IdentityZoneCreationResult zone, String nameAndOriginKey, AbstractIdentityProviderDefinition definition) throws Exception {