feat: make marketing email opt-in checkbox selectively ignorable

We want to support a flow for SSO-enabled Enterprise customers who have
agreed off-platform that none of their learners will opt-in to marketing emails
or sharing research data. This change proposes to do so by
adding an optional field that, when enabled, disables the presence of
the two checkboxes on this registration form and sets their values to false.

ENT-11401

Author: iloveagent57

.gitignore

@@ -13,6 +13,7 @@ lms/envs/private.py
 cms/envs/private.py
 .venv/
 CLAUDE.md
+.claude/
 AGENTS.md
 # end-noclean
 

common/djangoapps/third_party_auth/migrations/0014_samlproviderconfig_optional_email_checkboxes.py

@@ -0,0 +1,26 @@
+# Generated migration for adding optional checkbox skip configuration field
+
+from django.db import migrations, models
+import django.utils.translation
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('third_party_auth', '0013_default_site_id_wrapper_function'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='samlproviderconfig',
+            name='skip_registration_optional_checkboxes',
+            field=models.BooleanField(
+                default=False,
+                help_text=django.utils.translation.gettext_lazy(
+                    "If enabled, optional checkboxes (marketing emails opt-in, etc.) will not be rendered "
+                    "on the registration form for users registering via this provider. When these checkboxes "
+                    "are skipped, their values are inferred as False (opted out)."
+                ),
+            ),
+        ),
+    ]

common/djangoapps/third_party_auth/models.py

@@ -745,6 +745,14 @@ class SAMLProviderConfig(ProviderConfig):
             "immediately after authenticating with the third party instead of the login page."
         ),
     )
+    skip_registration_optional_checkboxes = models.BooleanField(
+        default=False,
+        help_text=_(
+            "If enabled, optional checkboxes (marketing emails opt-in, etc.) will not be rendered "
+            "on the registration form for users registering via this provider. When these checkboxes "
+            "are skipped, their values are inferred as False (opted out)."
+        ),
+    )
     other_settings = models.TextField(
         verbose_name="Advanced settings", blank=True,
         help_text=(

openedx/core/djangoapps/user_authn/views/registration_form.py

@@ -3,6 +3,7 @@
 """
 
 import copy
+import logging
 import re
 from importlib import import_module
 
@@ -18,6 +19,7 @@
 from eventtracking import tracker
 
 from common.djangoapps import third_party_auth
+from common.djangoapps.third_party_auth.models import SAMLProviderConfig
 from common.djangoapps.edxmako.shortcuts import marketing_link
 from common.djangoapps.student.models import CourseEnrollmentAllowed, UserProfile, email_exists_or_retired
 from common.djangoapps.util.password_policy_validators import (
@@ -36,6 +38,9 @@
 from openedx.features.enterprise_support.api import enterprise_customer_for_request
 
 
+log = logging.getLogger(__name__)
+
+
 class TrueCheckbox(widgets.CheckboxInput):
     """
     A checkbox widget that only accepts "true" (case-insensitive) as true.
@@ -410,6 +415,56 @@ def __init__(self):
             field_order.extend(sorted(difference))
 
         self.field_order = field_order
+        self.request = None  # Will be set by get_registration_form
+
+    def _get_saml_provider_config(self):
+        """
+        Get the SAML provider config for the current request's running pipeline.
+
+        Returns:
+            SAMLProviderConfig or None: The SAML provider config if found, None otherwise
+        """
+        if not self.request or not third_party_auth.is_enabled():
+            return None
+
+        running_pipeline = third_party_auth.pipeline.get(self.request)
+        if not running_pipeline:
+            return None
+
+        try:
+            # idp_name can be in kwargs directly or in kwargs['details']
+            saml_provider_name = running_pipeline.get('kwargs', {}).get('idp_name')
+            if not saml_provider_name:
+                saml_provider_name = (
+                    running_pipeline.get('kwargs', {})
+                    .get('details', {})
+                    .get('idp_name')
+                )
+
+            if not saml_provider_name:
+                return None
+
+            try:
+                # Try to find the SAML provider config
+                # First try with current_set(), then fall back to direct query
+                try:
+                    return SAMLProviderConfig.objects.current_set().get(
+                        slug=saml_provider_name
+                    )
+                except SAMLProviderConfig.DoesNotExist:
+                    # Fallback to direct query without current_set()
+                    return SAMLProviderConfig.objects.get(
+                        slug=saml_provider_name
+                    )
+            except SAMLProviderConfig.DoesNotExist:
+                log.debug(
+                    "SAML provider config not found for idp_name: %s",
+                    saml_provider_name
+                )
+                return None
+        except Exception as exc:  # pylint: disable=broad-except
+            log.debug("Error getting SAML provider config: %s", str(exc))
+            return None
 
     def get_registration_form(self, request):
         """Return a description of the registration form.
@@ -426,6 +481,7 @@ def get_registration_form(self, request):
         Returns:
             HttpResponse
         """
+        self.request = request
         form_desc = FormDescription("post", self._get_registration_submit_url(request))
         self._apply_third_party_auth_overrides(request, form_desc)
 
@@ -703,13 +759,40 @@ def _add_marketing_emails_opt_in_field(self, form_desc, required=False):
             platform_name=configuration_helpers.get_value('PLATFORM_NAME', settings.PLATFORM_NAME),
         )
 
+        # Default: checkbox is checked
+        default_value = True
+        field_required = required
+
+        # Check if SAML provider wants to skip optional checkboxes
+        saml_config = self._get_saml_provider_config()
+        if saml_config and saml_config.skip_registration_optional_checkboxes:
+            log.info(
+                "SAML provider %s has skip_registration_optional_checkboxes=True, "
+                "setting default to False and required to False",
+                saml_config.slug
+            )
+            default_value = False  # When skipped, user opts out by default
+            field_required = False  # Make field optional
+
+            # Set field override to ensure our SAML-specific values are used
+            # This will override any values set by the TPA provider
+            log.info(
+                "Setting field override for marketing_emails_opt_in to "
+                "defaultValue=False, required=False"
+            )
+            # pylint: disable=protected-access
+            form_desc._field_overrides['marketing_emails_opt_in'] = {
+                'defaultValue': False,
+                'required': False
+            }
+
         form_desc.add_field(
             'marketing_emails_opt_in',
             label=opt_in_label,
             field_type="checkbox",
             exposed=True,
-            default=True,  # the checkbox will automatically be checked; meaning user has opted in
-            required=required,
+            default=default_value,
+            required=field_required,
         )
 
     def _add_field_with_configurable_select_options(self, field_name, field_label, form_desc, required=False):
@@ -1150,22 +1233,47 @@ def _apply_third_party_auth_overrides(self, request, form_desc):
 
                     for field_name in self.DEFAULT_FIELDS + self.EXTRA_FIELDS:
                         if field_name in field_overrides:
-                            form_desc.override_field_properties(
-                                field_name, default=field_overrides[field_name]
-                            )
-
-                            if (
-                                field_name not in ['terms_of_service', 'honor_code'] and
-                                field_overrides[field_name] and
-                                hide_registration_fields_except_tos
-                            ):
+                            # Special handling for marketing_emails_opt_in:
+                            # If SAML provider config has skip_registration_optional_checkboxes=True,
+                            # don't let the provider's get_register_form_data override the default
+                            skip_override = False
+                            if field_name == 'marketing_emails_opt_in':
+                                saml_config = self._get_saml_provider_config()
+                                if saml_config and saml_config.skip_registration_optional_checkboxes:
+                                    log.debug(
+                                        "Skipping provider override for marketing_emails_opt_in "
+                                        "due to SAML config for provider: %s",
+                                        saml_config.slug
+                                    )
+                                    skip_override = True
+
+                            if not skip_override:
                                 form_desc.override_field_properties(
-                                    field_name,
-                                    field_type="hidden",
-                                    label="",
-                                    instructions="",
+                                    field_name, default=field_overrides[field_name]
                                 )
 
+                                if (
+                                    field_name not in ['terms_of_service', 'honor_code'] and
+                                    field_overrides[field_name] and
+                                    hide_registration_fields_except_tos
+                                ):
+                                    # When hiding a field, set default to False for checkbox fields
+                                    # like marketing_emails_opt_in to avoid auto-opting users in
+                                    field_default = field_overrides[field_name]
+                                    if field_name == 'marketing_emails_opt_in':
+                                        field_default = False
+                                        log.info(
+                                            "Hiding marketing_emails_opt_in field and setting default to False"
+                                        )
+
+                                    form_desc.override_field_properties(
+                                        field_name,
+                                        field_type="hidden",
+                                        default=field_default,
+                                        label="",
+                                        instructions="",
+                                    )
+
                     # Hide the confirm_email field
                     form_desc.override_field_properties(
                         "confirm_email",