Merge pull request #1962 from jackHay22/jh/saml

Fix new saml provider form, add fields for specifying assertion keys

options/locale/locale_en-US.ini

@@ -2967,12 +2967,15 @@ auths.sspi_separator_replacement_helper = The character to use to replace the se
 auths.sspi_default_language = Default user language
 auths.sspi_default_language_helper = Default language for users automatically created by SSPI auth method. Leave empty if you prefer language to be automatically detected.
 auths.saml_nameidformat = SAML NameID Format
-auths.saml_IdentityProviderMetadataURL = Identity Provider Metadata URL
-auths.saml_IdentityProviderMetadata = Identity Provider Metadata XML
+auths.saml_identity_provider_metadata_url = Identity Provider Metadata URL
+auths.saml_identity_provider_metadata = Identity Provider Metadata XML
 auths.saml_insecure_skip_assertion_signature_validation = [Insecure] Skip Assertion Signature Validation
-auths.saml_ServiceProviderCertificate = Service Provider Certificate
-auths.saml_ServiceProviderPrivateKey = Service Provider Private Key
-auths.saml_SignRequests = Sign SAML Requests
+auths.saml_service_provider_certificate = Service Provider Certificate
+auths.saml_service_provider_private_key = Service Provider Private Key
+auths.saml_sign_requests = Sign SAML Requests
+auths.saml_identity_provider_email_assertion_key = Email Assertion Key
+auths.saml_identity_provider_name_assertion_key = Name Assertion Key
+auths.saml_identity_provider_username_assertion_key = Username Assertion Key
 auths.tips = Tips
 auths.tips.oauth2.general = OAuth2 Authentication
 auths.tips.oauth2.general.tip = When registering a new OAuth2 authentication, the callback/redirect URL should be:

routers/web/admin/auths.go

@@ -287,6 +287,9 @@ func parseSAMLConfig(ctx *context.Context, form forms.AuthenticationForm) (*saml
 		ServiceProviderCertificate:               form.ServiceProviderCertificate,
 		ServiceProviderPrivateKey:                form.ServiceProviderPrivateKey,
 		SignRequests:                             form.SignRequests,
+		EmailAssertionKey:                        form.EmailAssertionKey,
+		NameAssertionKey:                         form.NameAssertionKey,
+		UsernameAssertionKey:                     form.UsernameAssertionKey,
 	}, nil
 }
 

services/auth/source/saml/source.go

@@ -38,6 +38,13 @@ type Source struct {
 
 	CallbackURL string
 
+	// EmailAssertionKey description: Assertion key for user.Email
+	EmailAssertionKey string
+	// NameAssertionKey description: Assertion key for user.NickName
+	NameAssertionKey string
+	// UsernameAssertionKey description: Assertion key for user.Name
+	UsernameAssertionKey string
+
 	// reference to the authSource
 	authSource *auth.Source
 

services/auth/source/saml/source_callout.go

@@ -60,19 +60,17 @@ func (source *Source) Callback(request *http.Request, response http.ResponseWrit
 		return user, fmt.Errorf("no nameID found in SAML response")
 	}
 
-	// TODO: rather than hardcoding assertion keys, we should allow setting them in the UI
-
 	// email
-	if _, ok := samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddres"]; !ok {
-		user.Email = samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddres"]
+	if _, ok := samlMap[source.EmailAssertionKey]; !ok {
+		user.Email = samlMap[source.EmailAssertionKey]
 	}
 	// name
-	if _, ok := samlMap["http://schemas.xmlsoap.org/claims/CommonName"]; !ok {
-		user.NickName = samlMap["http://schemas.xmlsoap.org/claims/CommonName"]
+	if _, ok := samlMap[source.NameAssertionKey]; !ok {
+		user.NickName = samlMap[source.NameAssertionKey]
 	}
 	// username
-	if _, ok := samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]; !ok {
-		user.Name = samlMap["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
+	if _, ok := samlMap[source.UsernameAssertionKey]; !ok {
+		user.Name = samlMap[source.UsernameAssertionKey]
 	}
 
 	// TODO: utilize groups later on

services/forms/auth_form.go

@@ -92,6 +92,9 @@ type AuthenticationForm struct {
 	ServiceProviderCertificate               string
 	ServiceProviderPrivateKey                string
 	SignRequests                             bool
+	EmailAssertionKey                        string
+	NameAssertionKey                         string
+	UsernameAssertionKey                     string
 }
 
 // Validate validates fields

templates/admin/auth/edit.tmpl

@@ -385,11 +385,11 @@
 					</div>
 
 					<div class="field">
-						<label for="identity_provider_metadata_url">{{.locale.Tr "admin.auths.saml_IdentityProviderMetadataURL"}}</label>
+						<label for="identity_provider_metadata_url">{{.locale.Tr "admin.auths.saml_identity_provider_metadata_url"}}</label>
 						<input id="identity_provider_metadata_url" name="identity_provider_metadata_url" value="{{$cfg.IdentityProviderMetadataURL}}">
 					</div>
 					<div class="field">
-						<label for="identity_provider_metadata">{{.locale.Tr "admin.auths.saml_IdentityProviderMetadata"}}</label>
+						<label for="identity_provider_metadata">{{.locale.Tr "admin.auths.saml_identity_provider_metadata"}}</label>
 						<textarea rows=2 id="identity_provider_metadata" name="identity_provider_metadata">{{$cfg.IdentityProviderMetadata}}</textarea>
 					</div>
 
@@ -401,20 +401,35 @@
 					</div>
 
 					<div class=" field">
-						<label for="service_provider_certificate">{{.locale.Tr "admin.auths.saml_ServiceProviderCertificate"}}</label>
+						<label for="service_provider_certificate">{{.locale.Tr "admin.auths.saml_service_provider_certificate"}}</label>
 						<textarea rows=2 id="service_provider_certificate" name="service_provider_certificate">{{$cfg.ServiceProviderCertificate}}</textarea>
 					</div>
 					<div class=" field">
-						<label for="service_provider_private_key">{{.locale.Tr "admin.auths.saml_ServiceProviderPrivateKey"}}</label>
+						<label for="service_provider_private_key">{{.locale.Tr "admin.auths.saml_service_provider_private_key"}}</label>
 						<textarea rows=2 id="service_provider_private_key" name="service_provider_private_key">{{$cfg.ServiceProviderPrivateKey}}</textarea>
 					</div>
 
 					<div class="inline field">
 						<div class="ui checkbox">
-							<label><strong>{{.locale.Tr "admin.auths.saml_SignRequests"}}</strong></label>
+							<label><strong>{{.locale.Tr "admin.auths.saml_sign_requests"}}</strong></label>
 							<input name="sign_requests" type="checkbox" {{if $cfg.SignRequests}}checked{{end}}>
 						</div>
 					</div>
+
+					<div class="field">
+						<label for="email_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
+						<input id="email_assertion_key" name="email_assertion_key" value="{{if not $cfg.EmailAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{{else}}{{$cfg.EmailAssertionKey}}{{end}}">
+					</div>
+
+					<div class="field">
+						<label for="name_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_name_assertion_key"}}</label>
+						<input id="name_assertion_key" name="name_assertion_key" value="{{if not $cfg.NameAssertionKey}}http://schemas.xmlsoap.org/claims/CommonName{{else}}{{$cfg.NameAssertionKey}}{{end}}">
+					</div>
+
+					<div class="field">
+						<label for="username_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_username_assertion_key"}}</label>
+						<input id="username_assertion_key" name="username_assertion_key" value="{{if not $cfg.UsernameAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name{{else}}{{$cfg.UsernameAssertionKey}}{{end}}">
+					</div>
 				{{end}}
 
 				<!-- SSPI -->

templates/admin/auth/new.tmpl

@@ -54,7 +54,7 @@
 				{{template "admin/auth/source/sspi" .}}
 
 				<!-- SAML -->
-+				{{template "admin/auth/source/saml" .}}
+				{{template "admin/auth/source/saml" .}}
 
 				<div class="ldap field">
 					<div class="ui checkbox">

templates/admin/auth/source/saml.tmpl

@@ -1,4 +1,4 @@
-<div class="saml field {{if not (eq .type 99)}}gt-hidden{{end}}">
+<div class="saml field {{if not (eq .type 8)}}gt-hidden{{end}}">
 
 	<div class="inline required field">
 		<label>{{.locale.Tr "admin.auths.saml_nameidformat"}}</label>
@@ -41,9 +41,24 @@
 
 	<div class="inline field">
 		<div class="ui checkbox">
-			<label><strong>{{.locale.Tr "admin.auths.sign_requests"}}</strong></label>
+			<label><strong>{{.locale.Tr "admin.auths.saml_sign_requests"}}</strong></label>
 			<input name="sign_requests" type="checkbox" {{if .SignRequests}}checked{{end}}>
 		</div>
 	</div>
 
+	<div class="field">
+		<label for="email_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_email_assertion_key"}}</label>
+		<input id="email_assertion_key" name="email_assertion_key" value="{{if not .EmailAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress{{else}}{{.EmailAssertionKey}}{{end}}">
+	</div>
+
+	<div class="field">
+		<label for="name_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_name_assertion_key"}}</label>
+		<input id="name_assertion_key" name="name_assertion_key" value="{{if not .NameAssertionKey}}http://schemas.xmlsoap.org/claims/CommonName{{else}}{{.NameAssertionKey}}{{end}}">
+	</div>
+
+	<div class="field">
+		<label for="username_assertion_key">{{.locale.Tr "admin.auths.saml_identity_provider_username_assertion_key"}}</label>
+		<input id="username_assertion_key" name="username_assertion_key" value="{{if not .UsernameAssertionKey}}http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name{{else}}{{.UsernameAssertionKey}}{{end}}">
+	</div>
+
 </div>

web_src/js/features/admin/common.js

@@ -137,6 +137,10 @@ export function initAdminCommon() {
           showElem($('.sspi'));
           $('.sspi div.required input').attr('required', 'required');
           break;
+        case '8': // SAML
+          showElem($('.saml'));
+          $('.saml div.required input').attr('required', 'required');
+          break;
       }
       if (authType === '2' || authType === '5') {
         onSecurityProtocolChange();