Set unusable password for new created users

djangosaml2/backends.py

@@ -290,6 +290,7 @@ def get_or_create_user(
             # Create new one if desired by settings
             if create_unknown_user:
                 user = UserModel(**{user_lookup_key: user_lookup_value})
+                user.set_unusable_password()
                 created = True
                 logger.debug(f"New user created: {user}")
             else:

djangosaml2/tests/__init__.py

@@ -462,6 +462,8 @@ def test_assertion_consumer_service(self):
         user_id = self.client.session[SESSION_KEY]
         user = User.objects.get(id=user_id)
         self.assertEqual(user.username, "student")
+        # Since a new user object is created, the password
+        # field is set to have an unusable password.
         self.assertEqual(user.has_usable_password(), False)
 
         # let's create another user and log in with that one
@@ -487,6 +489,10 @@ def test_assertion_consumer_service(self):
         # as the RelayState is empty we have redirect to ACS_DEFAULT_REDIRECT_URL
         self.assertRedirects(response, "/dashboard/")
         self.assertEqual(str(new_user.id), client.session[SESSION_KEY])
+        new_user.refresh_from_db()
+        # Since "new_user" already had a password,
+        # the password field will remain unchanged.
+        self.assertEqual(new_user.has_usable_password(), True)
 
     @override_settings(ACS_DEFAULT_REDIRECT_URL="testprofiles:dashboard")
     def test_assertion_consumer_service_default_relay_state(self):