feat: Add configurable registration field overrides for SAML providers

macdiesel · macdiesel · commit fedda7ea85aa · 2026-02-18T18:50:58.000Z
diff --git a/common/djangoapps/third_party_auth/migrations/0014_alter_samlproviderconfig_other_settings.py b/common/djangoapps/third_party_auth/migrations/0014_alter_samlproviderconfig_other_settings.py
@@ -0,0 +1,18 @@
+# Generated by Django 4.2.13 on 2026-02-18 00:00
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('third_party_auth', '0013_default_site_id_wrapper_function'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='samlproviderconfig',
+            name='other_settings',
+            field=models.TextField(blank=True, help_text='For advanced use cases, enter a JSON object with addtional configuration. The tpa-saml backend supports {"requiredEntitlements": ["urn:..."]}, which can be used to require the presence of a specific eduPersonEntitlement, and {"extra_field_definitions": [{"name": "...", "urn": "..."},...]}, which can be used to define registration form fields and the URNs that can be used to retrieve the relevant values from the SAML response, and {"registration_field_overrides": {"field_name": "required|optional|hidden"}}, which can be used to control the visibility and requirement status of specific registration form fields (e.g., marketing_emails_opt_in, research). Custom provider types, as selected in the "Identity Provider Type" field, may make use of the information stored in this field for additional configuration.', verbose_name='Advanced settings'),
+        ),
+    ]
diff --git a/common/djangoapps/third_party_auth/models.py b/common/djangoapps/third_party_auth/models.py
@@ -753,9 +753,12 @@ class SAMLProviderConfig(ProviderConfig):
             'which can be used to require the presence of a specific eduPersonEntitlement, '
             'and {"extra_field_definitions": [{"name": "...", "urn": "..."},...]}, which can be '
             'used to define registration form fields and the URNs that can be used to retrieve '
-            'the relevant values from the SAML response. Custom provider types, as selected '
-            'in the "Identity Provider Type" field, may make use of the information stored '
-            'in this field for additional configuration.'
+            'the relevant values from the SAML response, '
+            'and {"registration_field_overrides": {"field_name": "required|optional|hidden"}}, '
+            'which can be used to control the visibility and requirement status of specific '
+            'registration form fields (e.g., marketing_emails_opt_in, research). '
+            'Custom provider types, as selected in the "Identity Provider Type" field, may make '
+            'use of the information stored in this field for additional configuration.'
         )
     )
     archived = models.BooleanField(default=False)
@@ -838,7 +841,39 @@ def get_setting(self, name):
             return other_settings[name]
         raise KeyError
 
-    def get_config(self, backend):
+    def get_registration_field_overrides(self):
+        """
+        Get registration field visibility/requirement overrides for this provider.
+
+        This allows SAML providers to configure whether certain fields
+        (like marketing_emails_opt_in or research) should be required,
+        optional, or hidden on the registration form.
+
+        Returns:
+            dict: Mapping of field names to settings ("required", "optional", "hidden")
+                  Returns empty dict if no overrides are configured.
+
+        Example:
+            {
+                "marketing_emails_opt_in": "optional",
+                "research": "hidden"
+            }
+        """
+        try:
+            overrides = self.get_setting('registration_field_overrides')
+            # Validate override values
+            valid_values = {'required', 'optional', 'hidden'}
+            if isinstance(overrides, dict):
+                return {
+                    field: value
+                    for field, value in overrides.items()
+                    if value in valid_values
+                }
+            return {}
+        except KeyError:
+            return {}
+
+    def get_config(self):
         """
         Return a SAMLIdentityProvider instance for use by SAMLAuthBackend.
 
@@ -898,7 +933,7 @@ def get_config(self, backend):
             SAMLConfiguration.current(self.site.id, 'default')
         )
         idp_class = get_saml_idp_class(self.identity_provider_type)
-        return idp_class(backend, self.slug, **conf)
+        return idp_class(self.slug, **conf)
 
 
 class SAMLProviderData(models.Model):
diff --git a/openedx/core/djangoapps/user_authn/views/registration_form.py b/openedx/core/djangoapps/user_authn/views/registration_form.py
@@ -401,7 +401,7 @@ def __init__(self):
 
         field_order = configuration_helpers.get_value('REGISTRATION_FIELD_ORDER')
         if not field_order:
-            field_order = settings.REGISTRATION_FIELD_ORDER or valid_fields
+            field_order = getattr(settings, 'REGISTRATION_FIELD_ORDER', None) or valid_fields
         # Check that all of the valid_fields are in the field order and vice versa,
         # if not append missing fields at end of field order
         if set(valid_fields) != set(field_order):
@@ -1111,6 +1111,57 @@ def _add_terms_of_service_field(self, form_desc, required=True):
             },
         )
 
+    def _apply_provider_field_overrides(self, form_desc, provider_overrides, field_name):
+        """
+        Apply SAML provider-specific overrides to a registration form field.
+
+        This allows SAML providers to configure whether certain fields
+        (like marketing_emails_opt_in or research) should be required,
+        optional, or hidden.
+
+        Arguments:
+            form_desc (FormDescription): The registration form description to modify
+            provider_overrides (dict): Field override configuration from provider
+            field_name (str): Name of the field to potentially override
+
+        Returns:
+            bool: True if the field was overridden, False otherwise
+        """
+        if field_name not in provider_overrides:
+            return False
+
+        override_value = provider_overrides[field_name]
+
+        if override_value == "hidden":
+            # Hide the field completely
+            form_desc.override_field_properties(
+                field_name,
+                field_type="hidden",
+                required=False,
+                label="",
+                instructions="",
+                default=""
+            )
+            return True
+
+        elif override_value == "required":
+            # Make the field required
+            form_desc.override_field_properties(
+                field_name,
+                required=True
+            )
+            return True
+
+        elif override_value == "optional":
+            # Make the field optional (ensure it's not required)
+            form_desc.override_field_properties(
+                field_name,
+                required=False
+            )
+            return True
+
+        return False
+
     def _apply_third_party_auth_overrides(self, request, form_desc):
         """Modify the registration form if the user has authenticated with a third-party provider.
         If a user has successfully authenticated with a third-party provider,
@@ -1195,3 +1246,26 @@ def _apply_third_party_auth_overrides(self, request, form_desc):
                         default=current_provider.name if current_provider.name else "Third Party",
                         required=False,
                     )
+
+                    # Apply provider-specific field visibility overrides
+                    # This allows SAML providers to configure whether fields like
+                    # marketing_emails_opt_in or research should be shown/required
+                    provider_field_overrides = current_provider.get_registration_field_overrides()
+
+                    if provider_field_overrides:
+                        # List of fields that can be overridden by the provider
+                        overrideable_fields = [
+                            'marketing_emails_opt_in',
+                            'research',
+                            # Add more fields here as needed
+                        ]
+
+                        for field_name in overrideable_fields:
+                            # Only apply overrides for fields that are actually in the form
+                            # This check prevents errors if a field isn't enabled platform-wide
+                            if any(f['name'] == field_name for f in form_desc.fields):
+                                self._apply_provider_field_overrides(
+                                    form_desc,
+                                    provider_field_overrides,
+                                    field_name
+                                )
diff --git a/openedx/core/djangoapps/user_authn/views/tests/test_register.py b/openedx/core/djangoapps/user_authn/views/tests/test_register.py
