Skip to content

Commit

Permalink
Restore legacy SAML ACS endpoint. (elastic#106665)
Browse files Browse the repository at this point in the history
  • Loading branch information
@azasypkin @vadimkibana
azasypkin authored and vadimkibana committed Aug 8, 2021
1 parent 7e9a227 commit b097e40
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 32 deletions.
9 changes: 9 additions & 0 deletions x-pack/plugins/security/server/routes/authentication/saml.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,15 @@ describe('SAML authentication routes', () => {
routeHandler = acsRouteHandler;
});

it('additionally registers BWC route', () => {
expect(
router.post.mock.calls.find(([{ path }]) => path === '/api/security/saml/callback')
).toBeDefined();
expect(
router.post.mock.calls.find(([{ path }]) => path === '/api/security/v1/saml')
).toBeDefined();
});

it('correctly defines route.', () => {
expect(routeConfig.options).toEqual({
authRequired: false,
Expand Down
80 changes: 48 additions & 32 deletions x-pack/plugins/security/server/routes/authentication/saml.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,40 +14,56 @@ import { ROUTE_TAG_AUTH_FLOW, ROUTE_TAG_CAN_REDIRECT } from '../tags';
/**
* Defines routes required for SAML authentication.
*/
export function defineSAMLRoutes({ router, getAuthenticationService }: RouteDefinitionParams) {
router.post(
{
path: '/api/security/saml/callback',
validate: {
body: schema.object(
{ SAMLResponse: schema.string(), RelayState: schema.maybe(schema.string()) },
{ unknowns: 'ignore' }
),
},
options: {
authRequired: false,
xsrfRequired: false,
tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
},
},
async (context, request, response) => {
// When authenticating using SAML we _expect_ to redirect to the Kibana target location.
const authenticationResult = await getAuthenticationService().login(request, {
provider: { type: SAMLAuthenticationProvider.type },
value: {
type: SAMLLogin.LoginWithSAMLResponse,
samlResponse: request.body.SAMLResponse,
relayState: request.body.RelayState,
export function defineSAMLRoutes({
router,
getAuthenticationService,
basePath,
logger,
}: RouteDefinitionParams) {
// Generate two identical routes with new and deprecated URL and issue a warning if route with deprecated URL is ever used.
for (const path of ['/api/security/saml/callback', '/api/security/v1/saml']) {
router.post(
{
path,
validate: {
body: schema.object(
{ SAMLResponse: schema.string(), RelayState: schema.maybe(schema.string()) },
{ unknowns: 'ignore' }
),
},
});
options: {
authRequired: false,
xsrfRequired: false,
tags: [ROUTE_TAG_CAN_REDIRECT, ROUTE_TAG_AUTH_FLOW],
},
},
async (context, request, response) => {
if (path === '/api/security/v1/saml') {
const serverBasePath = basePath.serverBasePath;
logger.warn(
// When authenticating using SAML we _expect_ to redirect to the SAML Identity provider.
`The "${serverBasePath}${path}" URL is deprecated and might stop working in a future release. Please use "${serverBasePath}/api/security/saml/callback" URL instead.`
);
}

if (authenticationResult.redirected()) {
return response.redirected({
headers: { location: authenticationResult.redirectURL! },
// When authenticating using SAML we _expect_ to redirect to the Kibana target location.
const authenticationResult = await getAuthenticationService().login(request, {
provider: { type: SAMLAuthenticationProvider.type },
value: {
type: SAMLLogin.LoginWithSAMLResponse,
samlResponse: request.body.SAMLResponse,
relayState: request.body.RelayState,
},
});
}

return response.unauthorized({ body: authenticationResult.error });
}
);
if (authenticationResult.redirected()) {
return response.redirected({
headers: { location: authenticationResult.redirectURL! },
});
}

return response.unauthorized({ body: authenticationResult.error });
}
);
}
}

0 comments on commit b097e40

Please sign in to comment.