feat(saml): saml 2.0 implementation

Signed-off-by: ThibaultHerard <[email protected]> Co-authored-by: sebferrer <[email protected]>
ory · Apr 19, 2022 · cac09e2 · cac09e2
1 parent d3ee806
commit cac09e2
Show file tree

Hide file tree

Showing 69 changed files with 3,443 additions and 2 deletions.
diff --git a/.schema/api.openapi.json b/.schema/api.openapi.json
@@ -1932,6 +1932,81 @@
         ]
       }
     },
+    "/self-service/saml/metadata":{
+      "get":{
+        "description": "This endpoint is for the IDP to obtain kratos metadata",
+        "operationId": "getSamlMetadata",
+        "response": {
+          "302":{
+            "$ref": "#/components/responses/emptyResponse"
+          },
+          "500": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/genericError"
+                }
+              }
+            },
+            "description": "genericError"
+          }
+        },
+        "summary": "Expose metadata of the SAML Service Provider (Kratos)",
+        "tags": [
+          "public"
+        ]
+      }
+    },
+    "/self-service/saml/idp":{
+      "get":{
+        "description": "This endpoint is to redirect the user to the idp auth flow",
+        "operationId": "getUrlIdp",
+        "response": {
+          "302":{
+            "$ref": "#/components/responses/emptyResponse"
+          },
+          "500": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/genericError"
+                }
+              }
+            },
+            "description": "genericError"
+          }
+        },
+        "summary": "Redirect the user to the IDP flow",
+        "tags": [
+          "public"
+        ]
+      }
+    },
+    "/self-service/saml/acs":{
+      "get":{
+        "description": "AssertionConsumerService : handle saml response from the IDP",
+        "operationId": "getSamlAcs",
+        "response": {
+          "302":{
+            "$ref": "#/components/responses/emptyResponse"
+          },
+          "500": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/genericError"
+                }
+              }
+            },
+            "description": "genericError"
+          }
+        },
+        "summary": "Handle SAML response from the IDP",
+        "tags": [
+          "public"
+        ]
+      }
+    },
     "/self-service/login/browser": {
       "get": {
         "description": "This endpoint initializes a browser-based user login flow. Once initialized, the browser will be redirected to\n`selfservice.flows.login.ui_url` with the flow ID set as the query parameter `?flow=`. If a valid user session\nexists already, the browser will be redirected to `urls.default_redirect_url` unless the query parameter\n`?refresh=true` was set.\n\nThis endpoint is NOT INTENDED for API clients and only works with browsers (Chrome, Firefox, ...).\n\nMore information can be found at [Ory Kratos User Login and User Registration Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-login-user-registration).",

diff --git a/.schema/openapi.json b/.schema/openapi.json
@@ -2006,6 +2006,81 @@
         ]
       }
     },
+    "/self-service/saml/idp":{
+      "get":{
+        "description": "This endpoint is to redirect the user to the idp auth flow",
+        "operationId": "getUrlIdp",
+        "response": {
+          "302":{
+            "$ref": "#/components/responses/emptyResponse"
+          },
+          "500": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/genericError"
+                }
+              }
+            },
+            "description": "genericError"
+          }
+        },
+        "summary": "Redirect the user to the IDP flow",
+        "tags": [
+          "public"
+        ]
+      }
+    },
+    "/self-service/saml/metadata":{
+      "get":{
+        "description": "This endpoint is for the IDP to obtain kratos metadata",
+        "operationId": "getSamlMetadata",
+        "response": {
+          "302":{
+            "$ref": "#/components/responses/emptyResponse"
+          },
+          "500": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/genericError"
+                }
+              }
+            },
+            "description": "genericError"
+          }
+        },
+        "summary": "Expose metadata of the SAML Service Provider (Kratos)",
+        "tags": [
+          "public"
+        ]
+      }
+    },
+    "/self-service/saml/acs":{
+      "get":{
+        "description": "AssertionConsumerService : handle saml response from the IDP",
+        "operationId": "getSamlAcs",
+        "response": {
+          "302":{
+            "$ref": "#/components/responses/emptyResponse"
+          },
+          "500": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/genericError"
+                }
+              }
+            },
+            "description": "genericError"
+          }
+        },
+        "summary": "Handle SAML response from the IDP",
+        "tags": [
+          "public"
+        ]
+      }
+    },
     "/self-service/login/flows": {
       "get": {
         "description": "This endpoint returns a login flow's context with, for example, error details and other information.\n\nMore information can be found at [Ory Kratos User Login and User Registration Documentation](https://www.ory.sh/docs/next/kratos/self-service/flows/user-login-user-registration).",

diff --git a/driver/registery_default_saml.go b/driver/registery_default_saml.go
@@ -0,0 +1,11 @@
+package driver
+
+import "github.com/ory/kratos/selfservice/flow/saml"
+
+func (m *RegistryDefault) SAMLHandler() *saml.Handler {
+	if m.selfserviceSAMLHandler == nil {
+		m.selfserviceSAMLHandler = saml.NewHandler(m)
+	}
+
+	return m.selfserviceSAMLHandler
+}
diff --git a/driver/registry_default.go b/driver/registry_default.go
@@ -34,11 +34,13 @@ import (
 	"github.com/ory/kratos/hash"
 	"github.com/ory/kratos/schema"
 	"github.com/ory/kratos/selfservice/flow/recovery"
+	"github.com/ory/kratos/selfservice/flow/saml"
 	"github.com/ory/kratos/selfservice/flow/settings"
 	"github.com/ory/kratos/selfservice/flow/verification"
 	"github.com/ory/kratos/selfservice/hook"
 	"github.com/ory/kratos/selfservice/strategy/link"
 	"github.com/ory/kratos/selfservice/strategy/profile"
+	samlstrategy "github.com/ory/kratos/selfservice/strategy/saml/strategy"
 	"github.com/ory/kratos/x"
 
 	"github.com/cenkalti/backoff"
@@ -119,6 +121,8 @@ type RegistryDefault struct {
 	selfserviceLoginHandler             *login.Handler
 	selfserviceLoginRequestErrorHandler *login.ErrorHandler
 
+	selfserviceSAMLHandler *saml.Handler
+
 	selfserviceSettingsHandler      *settings.Handler
 	selfserviceSettingsErrorHandler *settings.ErrorHandler
 	selfserviceSettingsExecutor     *settings.HookExecutor
@@ -151,6 +155,7 @@ func (m *RegistryDefault) Audit() *logrusx.Logger {
 
 func (m *RegistryDefault) RegisterPublicRoutes(ctx context.Context, router *x.RouterPublic) {
 	m.LoginHandler().RegisterPublicRoutes(router)
+	m.SAMLHandler().RegisterPublicRoutes(router)
 	m.RegistrationHandler().RegisterPublicRoutes(router)
 	m.LogoutHandler().RegisterPublicRoutes(router)
 	m.SettingsHandler().RegisterPublicRoutes(router)
@@ -275,6 +280,7 @@ func (m *RegistryDefault) selfServiceStrategies() []interface{} {
 		m.selfserviceStrategies = []interface{}{
 			password2.NewStrategy(m),
 			oidc.NewStrategy(m),
+			samlstrategy.NewStrategy(m),
 			profile.NewStrategy(m),
 			link.NewStrategy(m),
 			totp.NewStrategy(m),

diff --git a/driver/registry_default_test.go b/driver/registry_default_test.go
@@ -686,7 +686,7 @@ func TestDefaultRegistry_AllStrategies(t *testing.T) {
 	_, reg := internal.NewFastRegistryWithMocks(t)
 
 	t.Run("case=all login strategies", func(t *testing.T) {
-		expects := []string{"password", "oidc", "totp", "webauthn", "lookup_secret"}
+		expects := []string{"password", "saml", "oidc", "totp", "webauthn", "lookup_secret"}
 		s := reg.AllLoginStrategies()
 		require.Len(t, s, len(expects))
 		for k, e := range expects {