From 9bae6566760f88c546255e0e9f859f68f9ea2f9e Mon Sep 17 00:00:00 2001
From: Aaron Tan <jangsutsr@gmail.com>
Date: Mon, 25 Sep 2017 15:20:43 -0400
Subject: [PATCH] Restore SAML enterprise user auth logic

Connect #7666 of ansible-tower and follow up original fix tower #455.
The original fix solves the problem of duplicated db keys, but breaks a
rule of enterprise users that 'Enterprise users cannot be
created/authenticated if non-enterprise users with the same name has
already been created in Tower.'. This fix resumes that rule.

Signed-off-by: Aaron Tan <jangsutsr@gmail.com>
---
 awx/sso/backends.py | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/awx/sso/backends.py b/awx/sso/backends.py
index 437aef139c..72b12a6b75 100644
--- a/awx/sso/backends.py
+++ b/awx/sso/backends.py
@@ -266,16 +266,12 @@ class SAMLAuth(BaseSAMLAuth):
         if not feature_enabled('enterprise_auth'):
             logger.error("Unable to authenticate, license does not support SAML authentication")
             return None
-        created = False
-        try:
-            user = User.objects.get(username=kwargs.get('username', ''))
-            if user and not user.is_in_enterprise_category('saml'):
-                return None
-        except User.DoesNotExist:
-            created = True
         user = super(SAMLAuth, self).authenticate(*args, **kwargs)
-        if user and created:
+        # Comes from https://github.com/omab/python-social-auth/blob/v0.2.21/social/backends/base.py#L91
+        if getattr(user, 'is_new', False):
             _decorate_enterprise_user(user, 'saml')
+        elif user and not user.is_in_enterprise_category('saml'):
+            return None
         return user
 
     def get_user(self, user_id):