TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-07-13 08:18:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
zitadel/internal/query/idp_template.go

1908 lines
58 KiB
Go
Raw Normal View History

feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
package query
import (
"context"
"database/sql"
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com>
2023-12-08 16:30:55 +02:00
"errors"
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
"time"
sq "github.com/Masterminds/squirrel"
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
"github.com/zitadel/logging"
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/crypto"
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
"github.com/zitadel/zitadel/internal/database"
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
"github.com/zitadel/zitadel/internal/domain"
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
"github.com/zitadel/zitadel/internal/query/projection"
"github.com/zitadel/zitadel/internal/repository/idp"
"github.com/zitadel/zitadel/internal/telemetry/tracing"
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com>
2023-12-08 16:30:55 +02:00
"github.com/zitadel/zitadel/internal/zerrors"
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
)
type IDPTemplate struct {
CreationDate time.Time
ChangeDate time.Time
Sequence uint64
ResourceOwner string
ID string
State domain.IDPState
Name string
Type domain.IDPType
OwnerType domain.IdentityProviderType
IsCreationAllowed bool
IsLinkingAllowed bool
IsAutoCreation bool
IsAutoUpdate bool
feat(idp): provide option to auto link user (#7734) * init auto linking * prompt handling * working * translations * console * fixes * unify * custom texts * fix tests * linting * fix check of existing user * fix bg translation * set unspecified as default in the form
2024-04-10 17:46:30 +02:00
AutoLinking domain.AutoLinkingOption
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
*OAuthIDPTemplate
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
*OIDCIDPTemplate
*JWTIDPTemplate
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
*AzureADIDPTemplate
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
*GitHubIDPTemplate
*GitHubEnterpriseIDPTemplate
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
*GitLabIDPTemplate
*GitLabSelfHostedIDPTemplate
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
*GoogleIDPTemplate
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
*LDAPIDPTemplate
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
*AppleIDPTemplate
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
*SAMLIDPTemplate
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
}
type IDPTemplates struct {
SearchResponse
Templates []*IDPTemplate
}
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
type OAuthIDPTemplate struct {
IDPID string
ClientID string
ClientSecret *crypto.CryptoValue
AuthorizationEndpoint string
TokenEndpoint string
UserEndpoint string
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
Scopes database.TextArray[string]
fix: use of generic oauth provider (#5345) Adds a id_attribute to the GenericOAuthProvider, which is used to map the external User. Further mapping can be done in actions by using the `rawInfo` of the new `ctx.v1.providerInfo` field.
2023-03-03 11:38:49 +01:00
IDAttribute string
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
UsePKCE bool
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
}
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
type OIDCIDPTemplate struct {
fix: use idToken for mapping when using old configs (#5458) * fix: use idToken for mapping when using old configs * fix events and add tests
2023-03-16 16:47:22 +01:00
IDPID string
ClientID string
ClientSecret *crypto.CryptoValue
Issuer string
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
Scopes database.TextArray[string]
fix: use idToken for mapping when using old configs (#5458) * fix: use idToken for mapping when using old configs * fix events and add tests
2023-03-16 16:47:22 +01:00
IsIDTokenMapping bool
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
UsePKCE bool
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
}
type JWTIDPTemplate struct {
IDPID string
Issuer string
KeysEndpoint string
HeaderName string
Endpoint string
}
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
type AzureADIDPTemplate struct {
IDPID string
ClientID string
ClientSecret *crypto.CryptoValue
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
Scopes database.TextArray[string]
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
Tenant string
IsEmailVerified bool
}
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
type GitHubIDPTemplate struct {
IDPID string
ClientID string
ClientSecret *crypto.CryptoValue
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
Scopes database.TextArray[string]
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
}
type GitHubEnterpriseIDPTemplate struct {
IDPID string
ClientID string
ClientSecret *crypto.CryptoValue
AuthorizationEndpoint string
TokenEndpoint string
UserEndpoint string
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
Scopes database.TextArray[string]
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
}
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
type GitLabIDPTemplate struct {
IDPID string
ClientID string
ClientSecret *crypto.CryptoValue
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
Scopes database.TextArray[string]
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
}
type GitLabSelfHostedIDPTemplate struct {
IDPID string
Issuer string
ClientID string
ClientSecret *crypto.CryptoValue
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
Scopes database.TextArray[string]
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
}
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
type GoogleIDPTemplate struct {
IDPID string
ClientID string
ClientSecret *crypto.CryptoValue
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
Scopes database.TextArray[string]
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
}
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
type LDAPIDPTemplate struct {
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
IDPID string
Servers []string
StartTLS bool
BaseDN string
BindDN string
BindPassword *crypto.CryptoValue
UserBase string
UserObjectClasses []string
UserFilters []string
Timeout time.Duration
feat(ldap): adding root ca option to ldap config (#9292) # Which Problems Are Solved Adding ability to add a root CA to LDAP configs # Additional Context - Closes https://github.com/zitadel/zitadel/issues/7888 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-02-18 10:06:50 +00:00
RootCA []byte
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
idp.LDAPAttributes
}
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
type AppleIDPTemplate struct {
IDPID string
ClientID string
TeamID string
KeyID string
PrivateKey *crypto.CryptoValue
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
Scopes database.TextArray[string]
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
}
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
type SAMLIDPTemplate struct {
feat(saml): allow setting nameid-format and alternative mapping for transient format (#7979) # Which Problems Are Solved ZITADEL currently always uses `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` in SAML requests, relying on the IdP to respect that flag and always return a peristent nameid in order to be able to map the external user with an existing user (idp link) in ZITADEL. In case the IdP however returns a `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` (transient) nameid, the attribute will differ between each request and it will not be possible to match existing users. # How the Problems Are Solved This PR adds the following two options on SAML IdP: - **nameIDFormat**: allows to set the nameid-format used in the SAML Request - **transientMappingAttributeName**: allows to set an attribute name, which will be used instead of the nameid itself in case the returned nameid-format is transient # Additional Changes To reduce impact on current installations, the `idp_templates6_saml` table is altered with the two added columns by a setup job. New installations will automatically get the table with the two columns directly. All idp unit tests are updated to use `expectEventstore` instead of the deprecated `eventstoreExpect`. # Additional Context Closes #7483 Closes #7743 --------- Co-authored-by: peintnermax <max@caos.ch> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-05-23 07:04:07 +02:00
IDPID string
Metadata []byte
Key *crypto.CryptoValue
Certificate []byte
Binding string
WithSignedRequest bool
NameIDFormat sql.Null[domain.SAMLNameIDFormat]
TransientMappingAttributeName string
feat: federated logout for SAML IdPs (#9931) # Which Problems Are Solved Currently if a user signs in using an IdP, once they sign out of Zitadel, the corresponding IdP session is not terminated. This can be the desired behavior. In some cases, e.g. when using a shared computer it results in a potential security risk, since a follower user might be able to sign in as the previous using the still open IdP session. # How the Problems Are Solved - Admins can enabled a federated logout option on SAML IdPs through the Admin and Management APIs. - During the termination of a login V1 session using OIDC end_session endpoint, Zitadel will check if an IdP was used to authenticate that session. - In case there was a SAML IdP used with Federated Logout enabled, it will intercept the logout process, store the information into the shared cache and redirect to the federated logout endpoint in the V1 login. - The V1 login federated logout endpoint checks every request on an existing cache entry. On success it will create a SAML logout request for the used IdP and either redirect or POST to the configured SLO endpoint. The cache entry is updated with a `redirected` state. - A SLO endpoint is added to the `/idp` handlers, which will handle the SAML logout responses. At the moment it will check again for an existing federated logout entry (with state `redirected`) in the cache. On success, the user is redirected to the initially provided `post_logout_redirect_uri` from the end_session request. # Additional Changes None # Additional Context - This PR merges the https://github.com/zitadel/zitadel/pull/9841 and https://github.com/zitadel/zitadel/pull/9854 to main, additionally updating the docs on Entra ID SAML. - closes #9228 - backport to 3.x --------- Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
2025-05-23 13:52:25 +02:00
FederatedLogoutEnabled bool
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
}
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
var (
idpTemplateTable = table{
name: projection.IDPTemplateTable,
instanceIDCol: projection.IDPTemplateInstanceIDCol,
}
IDPTemplateIDCol = Column{
name: projection.IDPTemplateIDCol,
table: idpTemplateTable,
}
IDPTemplateCreationDateCol = Column{
name: projection.IDPTemplateCreationDateCol,
table: idpTemplateTable,
}
IDPTemplateChangeDateCol = Column{
name: projection.IDPTemplateChangeDateCol,
table: idpTemplateTable,
}
IDPTemplateSequenceCol = Column{
name: projection.IDPTemplateSequenceCol,
table: idpTemplateTable,
}
IDPTemplateResourceOwnerCol = Column{
name: projection.IDPTemplateResourceOwnerCol,
table: idpTemplateTable,
}
IDPTemplateInstanceIDCol = Column{
name: projection.IDPTemplateInstanceIDCol,
table: idpTemplateTable,
}
IDPTemplateStateCol = Column{
name: projection.IDPTemplateStateCol,
table: idpTemplateTable,
}
IDPTemplateNameCol = Column{
name: projection.IDPTemplateNameCol,
table: idpTemplateTable,
}
IDPTemplateOwnerTypeCol = Column{
name: projection.IDPOwnerTypeCol,
table: idpTemplateTable,
}
IDPTemplateTypeCol = Column{
name: projection.IDPTemplateTypeCol,
table: idpTemplateTable,
}
IDPTemplateOwnerRemovedCol = Column{
name: projection.IDPTemplateOwnerRemovedCol,
table: idpTemplateTable,
}
IDPTemplateIsCreationAllowedCol = Column{
name: projection.IDPTemplateIsCreationAllowedCol,
table: idpTemplateTable,
}
IDPTemplateIsLinkingAllowedCol = Column{
name: projection.IDPTemplateIsLinkingAllowedCol,
table: idpTemplateTable,
}
IDPTemplateIsAutoCreationCol = Column{
name: projection.IDPTemplateIsAutoCreationCol,
table: idpTemplateTable,
}
IDPTemplateIsAutoUpdateCol = Column{
name: projection.IDPTemplateIsAutoUpdateCol,
table: idpTemplateTable,
}
feat(idp): provide option to auto link user (#7734) * init auto linking * prompt handling * working * translations * console * fixes * unify * custom texts * fix tests * linting * fix check of existing user * fix bg translation * set unspecified as default in the form
2024-04-10 17:46:30 +02:00
IDPTemplateAutoLinkingCol = Column{
name: projection.IDPTemplateAutoLinkingCol,
table: idpTemplateTable,
}
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
)
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
var (
oauthIdpTemplateTable = table{
name: projection.IDPTemplateOAuthTable,
instanceIDCol: projection.OAuthInstanceIDCol,
}
OAuthIDCol = Column{
name: projection.OAuthIDCol,
table: oauthIdpTemplateTable,
}
OAuthInstanceIDCol = Column{
name: projection.OAuthInstanceIDCol,
table: oauthIdpTemplateTable,
}
OAuthClientIDCol = Column{
name: projection.OAuthClientIDCol,
table: oauthIdpTemplateTable,
}
OAuthClientSecretCol = Column{
name: projection.OAuthClientSecretCol,
table: oauthIdpTemplateTable,
}
OAuthAuthorizationEndpointCol = Column{
name: projection.OAuthAuthorizationEndpointCol,
table: oauthIdpTemplateTable,
}
OAuthTokenEndpointCol = Column{
name: projection.OAuthTokenEndpointCol,
table: oauthIdpTemplateTable,
}
OAuthUserEndpointCol = Column{
name: projection.OAuthUserEndpointCol,
table: oauthIdpTemplateTable,
}
OAuthScopesCol = Column{
name: projection.OAuthScopesCol,
table: oauthIdpTemplateTable,
}
fix: use of generic oauth provider (#5345) Adds a id_attribute to the GenericOAuthProvider, which is used to map the external User. Further mapping can be done in actions by using the `rawInfo` of the new `ctx.v1.providerInfo` field.
2023-03-03 11:38:49 +01:00
OAuthIDAttributeCol = Column{
name: projection.OAuthIDAttributeCol,
table: oauthIdpTemplateTable,
}
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
OAuthUsePKCECol = Column{
name: projection.OAuthUsePKCECol,
table: oauthIdpTemplateTable,
}
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
)
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
var (
oidcIdpTemplateTable = table{
name: projection.IDPTemplateOIDCTable,
instanceIDCol: projection.OIDCInstanceIDCol,
}
OIDCIDCol = Column{
name: projection.OIDCIDCol,
table: oidcIdpTemplateTable,
}
OIDCInstanceIDCol = Column{
name: projection.OIDCInstanceIDCol,
table: oidcIdpTemplateTable,
}
OIDCIssuerCol = Column{
name: projection.OIDCIssuerCol,
table: oidcIdpTemplateTable,
}
OIDCClientIDCol = Column{
name: projection.OIDCClientIDCol,
table: oidcIdpTemplateTable,
}
OIDCClientSecretCol = Column{
name: projection.OIDCClientSecretCol,
table: oidcIdpTemplateTable,
}
OIDCScopesCol = Column{
name: projection.OIDCScopesCol,
table: oidcIdpTemplateTable,
}
fix: use idToken for mapping when using old configs (#5458) * fix: use idToken for mapping when using old configs * fix events and add tests
2023-03-16 16:47:22 +01:00
OIDCIDTokenMappingCol = Column{
name: projection.OIDCIDTokenMappingCol,
table: oidcIdpTemplateTable,
}
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
OIDCUsePKCECol = Column{
name: projection.OIDCUsePKCECol,
table: oidcIdpTemplateTable,
}
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
)
var (
jwtIdpTemplateTable = table{
name: projection.IDPTemplateJWTTable,
instanceIDCol: projection.JWTInstanceIDCol,
}
JWTIDCol = Column{
name: projection.JWTIDCol,
table: jwtIdpTemplateTable,
}
JWTInstanceIDCol = Column{
name: projection.JWTInstanceIDCol,
table: jwtIdpTemplateTable,
}
JWTIssuerCol = Column{
name: projection.JWTIssuerCol,
table: jwtIdpTemplateTable,
}
JWTEndpointCol = Column{
name: projection.JWTEndpointCol,
table: jwtIdpTemplateTable,
}
JWTKeysEndpointCol = Column{
name: projection.JWTKeysEndpointCol,
table: jwtIdpTemplateTable,
}
JWTHeaderNameCol = Column{
name: projection.JWTHeaderNameCol,
table: jwtIdpTemplateTable,
}
)
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
var (
azureadIdpTemplateTable = table{
name: projection.IDPTemplateAzureADTable,
instanceIDCol: projection.AzureADInstanceIDCol,
}
AzureADIDCol = Column{
name: projection.AzureADIDCol,
table: azureadIdpTemplateTable,
}
AzureADInstanceIDCol = Column{
name: projection.AzureADInstanceIDCol,
table: azureadIdpTemplateTable,
}
AzureADClientIDCol = Column{
name: projection.AzureADClientIDCol,
table: azureadIdpTemplateTable,
}
AzureADClientSecretCol = Column{
name: projection.AzureADClientSecretCol,
table: azureadIdpTemplateTable,
}
AzureADScopesCol = Column{
name: projection.AzureADScopesCol,
table: azureadIdpTemplateTable,
}
AzureADTenantCol = Column{
name: projection.AzureADTenantCol,
table: azureadIdpTemplateTable,
}
AzureADIsEmailVerified = Column{
name: projection.AzureADIsEmailVerified,
table: azureadIdpTemplateTable,
}
)
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
var (
githubIdpTemplateTable = table{
name: projection.IDPTemplateGitHubTable,
instanceIDCol: projection.GitHubInstanceIDCol,
}
GitHubIDCol = Column{
name: projection.GitHubIDCol,
table: githubIdpTemplateTable,
}
GitHubInstanceIDCol = Column{
name: projection.GitHubInstanceIDCol,
table: githubIdpTemplateTable,
}
GitHubClientIDCol = Column{
name: projection.GitHubClientIDCol,
table: githubIdpTemplateTable,
}
GitHubClientSecretCol = Column{
name: projection.GitHubClientSecretCol,
table: githubIdpTemplateTable,
}
GitHubScopesCol = Column{
name: projection.GitHubScopesCol,
table: githubIdpTemplateTable,
}
)
var (
githubEnterpriseIdpTemplateTable = table{
name: projection.IDPTemplateGitHubEnterpriseTable,
instanceIDCol: projection.GitHubEnterpriseInstanceIDCol,
}
GitHubEnterpriseIDCol = Column{
name: projection.GitHubEnterpriseIDCol,
table: githubEnterpriseIdpTemplateTable,
}
GitHubEnterpriseInstanceIDCol = Column{
name: projection.GitHubEnterpriseInstanceIDCol,
table: githubEnterpriseIdpTemplateTable,
}
GitHubEnterpriseClientIDCol = Column{
name: projection.GitHubEnterpriseClientIDCol,
table: githubEnterpriseIdpTemplateTable,
}
GitHubEnterpriseClientSecretCol = Column{
name: projection.GitHubEnterpriseClientSecretCol,
table: githubEnterpriseIdpTemplateTable,
}
GitHubEnterpriseAuthorizationEndpointCol = Column{
name: projection.GitHubEnterpriseAuthorizationEndpointCol,
table: githubEnterpriseIdpTemplateTable,
}
GitHubEnterpriseTokenEndpointCol = Column{
name: projection.GitHubEnterpriseTokenEndpointCol,
table: githubEnterpriseIdpTemplateTable,
}
GitHubEnterpriseUserEndpointCol = Column{
name: projection.GitHubEnterpriseUserEndpointCol,
table: githubEnterpriseIdpTemplateTable,
}
GitHubEnterpriseScopesCol = Column{
name: projection.GitHubEnterpriseScopesCol,
table: githubEnterpriseIdpTemplateTable,
}
)
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
var (
gitlabIdpTemplateTable = table{
name: projection.IDPTemplateGitLabTable,
instanceIDCol: projection.GitLabInstanceIDCol,
}
GitLabIDCol = Column{
name: projection.GitLabIDCol,
table: gitlabIdpTemplateTable,
}
GitLabInstanceIDCol = Column{
name: projection.GitLabInstanceIDCol,
table: gitlabIdpTemplateTable,
}
GitLabClientIDCol = Column{
name: projection.GitLabClientIDCol,
table: gitlabIdpTemplateTable,
}
GitLabClientSecretCol = Column{
name: projection.GitLabClientSecretCol,
table: gitlabIdpTemplateTable,
}
GitLabScopesCol = Column{
name: projection.GitLabScopesCol,
table: gitlabIdpTemplateTable,
}
)
var (
gitlabSelfHostedIdpTemplateTable = table{
name: projection.IDPTemplateGitLabSelfHostedTable,
instanceIDCol: projection.GitLabSelfHostedInstanceIDCol,
}
GitLabSelfHostedIDCol = Column{
name: projection.GitLabSelfHostedIDCol,
table: gitlabSelfHostedIdpTemplateTable,
}
GitLabSelfHostedInstanceIDCol = Column{
name: projection.GitLabSelfHostedInstanceIDCol,
table: gitlabSelfHostedIdpTemplateTable,
}
GitLabSelfHostedIssuerCol = Column{
name: projection.GitLabSelfHostedIssuerCol,
table: gitlabSelfHostedIdpTemplateTable,
}
GitLabSelfHostedClientIDCol = Column{
name: projection.GitLabSelfHostedClientIDCol,
table: gitlabSelfHostedIdpTemplateTable,
}
GitLabSelfHostedClientSecretCol = Column{
name: projection.GitLabSelfHostedClientSecretCol,
table: gitlabSelfHostedIdpTemplateTable,
}
GitLabSelfHostedScopesCol = Column{
name: projection.GitLabSelfHostedScopesCol,
table: gitlabSelfHostedIdpTemplateTable,
}
)
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
var (
googleIdpTemplateTable = table{
name: projection.IDPTemplateGoogleTable,
instanceIDCol: projection.GoogleInstanceIDCol,
}
GoogleIDCol = Column{
name: projection.GoogleIDCol,
table: googleIdpTemplateTable,
}
GoogleInstanceIDCol = Column{
name: projection.GoogleInstanceIDCol,
table: googleIdpTemplateTable,
}
GoogleClientIDCol = Column{
name: projection.GoogleClientIDCol,
table: googleIdpTemplateTable,
}
GoogleClientSecretCol = Column{
name: projection.GoogleClientSecretCol,
table: googleIdpTemplateTable,
}
GoogleScopesCol = Column{
name: projection.GoogleScopesCol,
table: googleIdpTemplateTable,
}
)
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
var (
ldapIdpTemplateTable = table{
name: projection.IDPTemplateLDAPTable,
instanceIDCol: projection.IDPTemplateInstanceIDCol,
}
LDAPIDCol = Column{
name: projection.LDAPIDCol,
table: ldapIdpTemplateTable,
}
LDAPInstanceIDCol = Column{
name: projection.LDAPInstanceIDCol,
table: ldapIdpTemplateTable,
}
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
LDAPServersCol = Column{
name: projection.LDAPServersCol,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
table: ldapIdpTemplateTable,
}
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
LDAPStartTLSCol = Column{
name: projection.LDAPStartTLSCol,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
table: ldapIdpTemplateTable,
}
LDAPBaseDNCol = Column{
name: projection.LDAPBaseDNCol,
table: ldapIdpTemplateTable,
}
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
LDAPBindDNCol = Column{
name: projection.LDAPBindDNCol,
table: ldapIdpTemplateTable,
}
LDAPBindPasswordCol = Column{
name: projection.LDAPBindPasswordCol,
table: ldapIdpTemplateTable,
}
LDAPUserBaseCol = Column{
name: projection.LDAPUserBaseCol,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
table: ldapIdpTemplateTable,
}
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
LDAPUserObjectClassesCol = Column{
name: projection.LDAPUserObjectClassesCol,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
table: ldapIdpTemplateTable,
}
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
LDAPUserFiltersCol = Column{
name: projection.LDAPUserFiltersCol,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
table: ldapIdpTemplateTable,
}
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
LDAPTimeoutCol = Column{
name: projection.LDAPTimeoutCol,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
table: ldapIdpTemplateTable,
}
feat(ldap): adding root ca option to ldap config (#9292) # Which Problems Are Solved Adding ability to add a root CA to LDAP configs # Additional Context - Closes https://github.com/zitadel/zitadel/issues/7888 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-02-18 10:06:50 +00:00
LDAPRootCACol = Column{
name: projection.LDAPRootCACol,
table: ldapIdpTemplateTable,
}
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
LDAPIDAttributeCol = Column{
name: projection.LDAPIDAttributeCol,
table: ldapIdpTemplateTable,
}
LDAPFirstNameAttributeCol = Column{
name: projection.LDAPFirstNameAttributeCol,
table: ldapIdpTemplateTable,
}
LDAPLastNameAttributeCol = Column{
name: projection.LDAPLastNameAttributeCol,
table: ldapIdpTemplateTable,
}
LDAPDisplayNameAttributeCol = Column{
name: projection.LDAPDisplayNameAttributeCol,
table: ldapIdpTemplateTable,
}
LDAPNickNameAttributeCol = Column{
name: projection.LDAPNickNameAttributeCol,
table: ldapIdpTemplateTable,
}
LDAPPreferredUsernameAttributeCol = Column{
name: projection.LDAPPreferredUsernameAttributeCol,
table: ldapIdpTemplateTable,
}
LDAPEmailAttributeCol = Column{
name: projection.LDAPEmailAttributeCol,
table: ldapIdpTemplateTable,
}
LDAPEmailVerifiedAttributeCol = Column{
name: projection.LDAPEmailVerifiedAttributeCol,
table: ldapIdpTemplateTable,
}
LDAPPhoneAttributeCol = Column{
name: projection.LDAPPhoneAttributeCol,
table: ldapIdpTemplateTable,
}
LDAPPhoneVerifiedAttributeCol = Column{
name: projection.LDAPPhoneVerifiedAttributeCol,
table: ldapIdpTemplateTable,
}
LDAPPreferredLanguageAttributeCol = Column{
name: projection.LDAPPreferredLanguageAttributeCol,
table: ldapIdpTemplateTable,
}
LDAPAvatarURLAttributeCol = Column{
name: projection.LDAPAvatarURLAttributeCol,
table: ldapIdpTemplateTable,
}
LDAPProfileAttributeCol = Column{
name: projection.LDAPProfileAttributeCol,
table: ldapIdpTemplateTable,
}
)
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
var (
appleIdpTemplateTable = table{
name: projection.IDPTemplateAppleTable,
instanceIDCol: projection.AppleInstanceIDCol,
}
AppleIDCol = Column{
name: projection.AppleIDCol,
table: appleIdpTemplateTable,
}
AppleInstanceIDCol = Column{
name: projection.AppleInstanceIDCol,
table: appleIdpTemplateTable,
}
AppleClientIDCol = Column{
name: projection.AppleClientIDCol,
table: appleIdpTemplateTable,
}
AppleTeamIDCol = Column{
name: projection.AppleTeamIDCol,
table: appleIdpTemplateTable,
}
AppleKeyIDCol = Column{
name: projection.AppleKeyIDCol,
table: appleIdpTemplateTable,
}
ApplePrivateKeyCol = Column{
name: projection.ApplePrivateKeyCol,
table: appleIdpTemplateTable,
}
AppleScopesCol = Column{
name: projection.AppleScopesCol,
table: appleIdpTemplateTable,
}
)
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
var (
samlIdpTemplateTable = table{
name: projection.IDPTemplateSAMLTable,
instanceIDCol: projection.IDPTemplateInstanceIDCol,
}
SAMLIDCol = Column{
name: projection.SAMLIDCol,
table: samlIdpTemplateTable,
}
SAMLInstanceCol = Column{
name: projection.SAMLInstanceIDCol,
table: samlIdpTemplateTable,
}
SAMLMetadataCol = Column{
name: projection.SAMLMetadataCol,
table: samlIdpTemplateTable,
}
SAMLKeyCol = Column{
name: projection.SAMLKeyCol,
table: samlIdpTemplateTable,
}
SAMLCertificateCol = Column{
name: projection.SAMLCertificateCol,
table: samlIdpTemplateTable,
}
SAMLBindingCol = Column{
name: projection.SAMLBindingCol,
table: samlIdpTemplateTable,
}
SAMLWithSignedRequestCol = Column{
name: projection.SAMLWithSignedRequestCol,
table: samlIdpTemplateTable,
}
feat(saml): allow setting nameid-format and alternative mapping for transient format (#7979) # Which Problems Are Solved ZITADEL currently always uses `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` in SAML requests, relying on the IdP to respect that flag and always return a peristent nameid in order to be able to map the external user with an existing user (idp link) in ZITADEL. In case the IdP however returns a `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` (transient) nameid, the attribute will differ between each request and it will not be possible to match existing users. # How the Problems Are Solved This PR adds the following two options on SAML IdP: - **nameIDFormat**: allows to set the nameid-format used in the SAML Request - **transientMappingAttributeName**: allows to set an attribute name, which will be used instead of the nameid itself in case the returned nameid-format is transient # Additional Changes To reduce impact on current installations, the `idp_templates6_saml` table is altered with the two added columns by a setup job. New installations will automatically get the table with the two columns directly. All idp unit tests are updated to use `expectEventstore` instead of the deprecated `eventstoreExpect`. # Additional Context Closes #7483 Closes #7743 --------- Co-authored-by: peintnermax <max@caos.ch> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-05-23 07:04:07 +02:00
SAMLNameIDFormatCol = Column{
name: projection.SAMLNameIDFormatCol,
table: samlIdpTemplateTable,
}
SAMLTransientMappingAttributeNameCol = Column{
name: projection.SAMLTransientMappingAttributeName,
table: samlIdpTemplateTable,
}
feat: federated logout for SAML IdPs (#9931) # Which Problems Are Solved Currently if a user signs in using an IdP, once they sign out of Zitadel, the corresponding IdP session is not terminated. This can be the desired behavior. In some cases, e.g. when using a shared computer it results in a potential security risk, since a follower user might be able to sign in as the previous using the still open IdP session. # How the Problems Are Solved - Admins can enabled a federated logout option on SAML IdPs through the Admin and Management APIs. - During the termination of a login V1 session using OIDC end_session endpoint, Zitadel will check if an IdP was used to authenticate that session. - In case there was a SAML IdP used with Federated Logout enabled, it will intercept the logout process, store the information into the shared cache and redirect to the federated logout endpoint in the V1 login. - The V1 login federated logout endpoint checks every request on an existing cache entry. On success it will create a SAML logout request for the used IdP and either redirect or POST to the configured SLO endpoint. The cache entry is updated with a `redirected` state. - A SLO endpoint is added to the `/idp` handlers, which will handle the SAML logout responses. At the moment it will check again for an existing federated logout entry (with state `redirected`) in the cache. On success, the user is redirected to the initially provided `post_logout_redirect_uri` from the end_session request. # Additional Changes None # Additional Context - This PR merges the https://github.com/zitadel/zitadel/pull/9841 and https://github.com/zitadel/zitadel/pull/9854 to main, additionally updating the docs on Entra ID SAML. - closes #9228 - backport to 3.x --------- Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
2025-05-23 13:52:25 +02:00
SAMLFederatedLogoutEnabledCol = Column{
name: projection.SAMLFederatedLogoutEnabled,
table: samlIdpTemplateTable,
}
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
)
feat: idp v2 api GetIDPByID (#8425) # Which Problems Are Solved GetIDPByID as endpoint in the API v2 so that it can be available for the new login. # How the Problems Are Solved Create GetIDPByID endpoint with IDP v2 API, throught the GetProviderByID implementation from admin and management API. # Additional Changes - Remove the OwnerType attribute from the response, as the information is available through the resourceOwner. - correct refs to messages in proto which are used for doc generation - renaming of elements for API v3 # Additional Context Closes #8337 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-08-14 20:18:29 +02:00
// IDPTemplateByID searches for the requested id with permission check if necessary
func (q *Queries) IDPTemplateByID(ctx context.Context, shouldTriggerBulk bool, id string, withOwnerRemoved bool, permissionCheck domain.PermissionCheck, queries ...SearchQuery) (template *IDPTemplate, err error) {
idp, err := q.idpTemplateByID(ctx, shouldTriggerBulk, id, withOwnerRemoved, queries...)
if err != nil {
return nil, err
}
if permissionCheck != nil {
switch idp.OwnerType {
case domain.IdentityProviderTypeSystem:
if err := permissionCheck(ctx, domain.PermissionIDPRead, idp.ResourceOwner, idp.ID); err != nil {
return nil, err
}
case domain.IdentityProviderTypeOrg:
if err := permissionCheck(ctx, domain.PermissionOrgIDPRead, idp.ResourceOwner, idp.ID); err != nil {
return nil, err
}
}
}
return idp, nil
}
// idpTemplateByID searches for the requested id
func (q *Queries) idpTemplateByID(ctx context.Context, shouldTriggerBulk bool, id string, withOwnerRemoved bool, queries ...SearchQuery) (template *IDPTemplate, err error) {
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
if shouldTriggerBulk {
chore: correct tracing of trigger function (#6825) * chore: correct tracing of trigger function * refactor: remove import
2023-10-26 17:07:56 +02:00
_, traceSpan := tracing.NewNamedSpan(ctx, "TriggerIDPTemplateProjection")
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
ctx, err = projection.IDPTemplateProjection.Trigger(ctx, handler.WithAwaitRunning())
logging.OnError(err).Debug("unable to trigger")
chore: correct tracing of trigger function (#6825) * chore: correct tracing of trigger function * refactor: remove import
2023-10-26 17:07:56 +02:00
traceSpan.EndWithError(err)
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
}
eq := sq.Eq{
IDPTemplateIDCol.identifier(): id,
IDPTemplateInstanceIDCol.identifier(): authz.GetInstance(ctx).InstanceID(),
}
if !withOwnerRemoved {
eq[IDPTemplateOwnerRemovedCol.identifier()] = false
}
chore!: Introduce ZITADEL v3 (#9645) This PR summarizes multiple changes specifically only available with ZITADEL v3: - feat: Web Keys management (https://github.com/zitadel/zitadel/pull/9526) - fix(cmd): ensure proper working of mirror (https://github.com/zitadel/zitadel/pull/9509) - feat(Authz): system user support for permission check v2 (https://github.com/zitadel/zitadel/pull/9640) - chore(license): change from Apache to AGPL (https://github.com/zitadel/zitadel/pull/9597) - feat(console): list v2 sessions (https://github.com/zitadel/zitadel/pull/9539) - fix(console): add loginV2 feature flag (https://github.com/zitadel/zitadel/pull/9682) - fix(feature flags): allow reading "own" flags (https://github.com/zitadel/zitadel/pull/9649) - feat(console): add Actions V2 UI (https://github.com/zitadel/zitadel/pull/9591) BREAKING CHANGE - feat(webkey): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9445) - chore!: remove CockroachDB Support (https://github.com/zitadel/zitadel/pull/9444) - feat(actions): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9489) --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Ramon <mail@conblem.me> Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Kenta Yamaguchi <56732734+KEY60228@users.noreply.github.com> Co-authored-by: Harsha Reddy <harsha.reddy@klaviyo.com> Co-authored-by: Livio Spring <livio@zitadel.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Iraq <66622793+kkrime@users.noreply.github.com> Co-authored-by: Florian Forster <florian@zitadel.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Max Peintner <peintnerm@gmail.com>
2025-04-02 16:53:06 +02:00
query, scan := prepareIDPTemplateByIDQuery()
feat(login): use new IDP templates (#5315) The login uses the new template based IDPs with backwards compatibility for old IDPs
2023-02-28 21:20:58 +01:00
for _, q := range queries {
query = q.toQuery(query)
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
}
feat(login): use new IDP templates (#5315) The login uses the new template based IDPs with backwards compatibility for old IDPs
2023-02-28 21:20:58 +01:00
stmt, args, err := query.Where(eq).ToSql()
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
if err != nil {
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com>
2023-12-08 16:30:55 +02:00
return nil, zerrors.ThrowInternal(err, "QUERY-SFefg", "Errors.Query.SQLStatement")
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
}
feat(storage): read only transactions for queries (#6415) * fix: tests * bastle wie en grosse * fix(database): scan as callback * fix tests * fix merge failures * remove as of system time * refactor: remove unused test * refacotr: remove unused lines
2023-08-22 12:49:22 +02:00
err = q.client.QueryRowContext(ctx, func(row *sql.Row) error {
template, err = scan(row)
return err
}, stmt, args...)
return template, err
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
}
// IDPTemplates searches idp templates matching the query
func (q *Queries) IDPTemplates(ctx context.Context, queries *IDPTemplateSearchQueries, withOwnerRemoved bool) (idps *IDPTemplates, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
chore!: Introduce ZITADEL v3 (#9645) This PR summarizes multiple changes specifically only available with ZITADEL v3: - feat: Web Keys management (https://github.com/zitadel/zitadel/pull/9526) - fix(cmd): ensure proper working of mirror (https://github.com/zitadel/zitadel/pull/9509) - feat(Authz): system user support for permission check v2 (https://github.com/zitadel/zitadel/pull/9640) - chore(license): change from Apache to AGPL (https://github.com/zitadel/zitadel/pull/9597) - feat(console): list v2 sessions (https://github.com/zitadel/zitadel/pull/9539) - fix(console): add loginV2 feature flag (https://github.com/zitadel/zitadel/pull/9682) - fix(feature flags): allow reading "own" flags (https://github.com/zitadel/zitadel/pull/9649) - feat(console): add Actions V2 UI (https://github.com/zitadel/zitadel/pull/9591) BREAKING CHANGE - feat(webkey): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9445) - chore!: remove CockroachDB Support (https://github.com/zitadel/zitadel/pull/9444) - feat(actions): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9489) --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Ramon <mail@conblem.me> Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Kenta Yamaguchi <56732734+KEY60228@users.noreply.github.com> Co-authored-by: Harsha Reddy <harsha.reddy@klaviyo.com> Co-authored-by: Livio Spring <livio@zitadel.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Iraq <66622793+kkrime@users.noreply.github.com> Co-authored-by: Florian Forster <florian@zitadel.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Max Peintner <peintnerm@gmail.com>
2025-04-02 16:53:06 +02:00
query, scan := prepareIDPTemplatesQuery()
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
eq := sq.Eq{
IDPTemplateInstanceIDCol.identifier(): authz.GetInstance(ctx).InstanceID(),
}
if !withOwnerRemoved {
eq[IDPTemplateOwnerRemovedCol.identifier()] = false
}
stmt, args, err := queries.toQuery(query).Where(eq).ToSql()
if err != nil {
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com>
2023-12-08 16:30:55 +02:00
return nil, zerrors.ThrowInvalidArgument(err, "QUERY-SAF34", "Errors.Query.InvalidRequest")
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
}
feat(storage): read only transactions for queries (#6415) * fix: tests * bastle wie en grosse * fix(database): scan as callback * fix tests * fix merge failures * remove as of system time * refactor: remove unused test * refacotr: remove unused lines
2023-08-22 12:49:22 +02:00
err = q.client.QueryContext(ctx, func(rows *sql.Rows) error {
idps, err = scan(rows)
return err
}, stmt, args...)
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
if err != nil {
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com>
2023-12-08 16:30:55 +02:00
return nil, zerrors.ThrowInternal(err, "QUERY-BDFrq", "Errors.Internal")
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
}
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
idps.State, err = q.latestState(ctx, idpTemplateTable)
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
return idps, err
}
type IDPTemplateSearchQueries struct {
SearchRequest
Queries []SearchQuery
}
func NewIDPTemplateIDSearchQuery(id string) (SearchQuery, error) {
return NewTextQuery(IDPTemplateIDCol, id, TextEquals)
}
func NewIDPTemplateOwnerTypeSearchQuery(ownerType domain.IdentityProviderType) (SearchQuery, error) {
return NewNumberQuery(IDPTemplateOwnerTypeCol, ownerType, NumberEquals)
}
func NewIDPTemplateNameSearchQuery(method TextComparison, value string) (SearchQuery, error) {
return NewTextQuery(IDPTemplateNameCol, value, method)
}
func NewIDPTemplateResourceOwnerSearchQuery(value string) (SearchQuery, error) {
return NewTextQuery(IDPTemplateResourceOwnerCol, value, TextEquals)
}
func NewIDPTemplateResourceOwnerListSearchQuery(ids ...string) (SearchQuery, error) {
list := make([]interface{}, len(ids))
for i, value := range ids {
list[i] = value
}
return NewListQuery(IDPTemplateResourceOwnerCol, list, ListIn)
}
feat: add exclusion of criteria for active idp query (#9040) # Which Problems Are Solved To list IDPs for potential linking, we need to filter them. The GetActiveIdentityProviderResponse should therefore be extended to provide the IDPConfig or information about whether the IDP is allowed to be linked or created. # How the Problems Are Solved Add parameters to the request to exclude CreationDisallowed and/or LinkingDisallowed in the query. # Additional Changes Added integration tests for the GetGetActiveIdentityProvider endpoint. # Additional Context Closes #8981 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-12-18 17:19:05 +01:00
func NewIDPTemplateIsCreationAllowedSearchQuery(value bool) (SearchQuery, error) {
return NewBoolQuery(IDPTemplateIsCreationAllowedCol, value)
}
func NewIDPTemplateIsLinkingAllowedSearchQuery(value bool) (SearchQuery, error) {
return NewBoolQuery(IDPTemplateIsLinkingAllowedCol, value)
}
func NewIDPTemplateIsAutoCreationSearchQuery(value bool) (SearchQuery, error) {
return NewBoolQuery(IDPTemplateIsAutoCreationCol, value)
}
func NewIDPTemplateAutoLinkingSearchQuery(value int, method NumberComparison) (SearchQuery, error) {
return NewNumberQuery(IDPTemplateAutoLinkingCol, value, method)
}
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
func (q *IDPTemplateSearchQueries) toQuery(query sq.SelectBuilder) sq.SelectBuilder {
query = q.SearchRequest.toQuery(query)
for _, q := range q.Queries {
query = q.toQuery(query)
}
return query
}
chore!: Introduce ZITADEL v3 (#9645) This PR summarizes multiple changes specifically only available with ZITADEL v3: - feat: Web Keys management (https://github.com/zitadel/zitadel/pull/9526) - fix(cmd): ensure proper working of mirror (https://github.com/zitadel/zitadel/pull/9509) - feat(Authz): system user support for permission check v2 (https://github.com/zitadel/zitadel/pull/9640) - chore(license): change from Apache to AGPL (https://github.com/zitadel/zitadel/pull/9597) - feat(console): list v2 sessions (https://github.com/zitadel/zitadel/pull/9539) - fix(console): add loginV2 feature flag (https://github.com/zitadel/zitadel/pull/9682) - fix(feature flags): allow reading "own" flags (https://github.com/zitadel/zitadel/pull/9649) - feat(console): add Actions V2 UI (https://github.com/zitadel/zitadel/pull/9591) BREAKING CHANGE - feat(webkey): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9445) - chore!: remove CockroachDB Support (https://github.com/zitadel/zitadel/pull/9444) - feat(actions): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9489) --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Ramon <mail@conblem.me> Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Kenta Yamaguchi <56732734+KEY60228@users.noreply.github.com> Co-authored-by: Harsha Reddy <harsha.reddy@klaviyo.com> Co-authored-by: Livio Spring <livio@zitadel.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Iraq <66622793+kkrime@users.noreply.github.com> Co-authored-by: Florian Forster <florian@zitadel.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Max Peintner <peintnerm@gmail.com>
2025-04-02 16:53:06 +02:00
func prepareIDPTemplateByIDQuery() (sq.SelectBuilder, func(*sql.Row) (*IDPTemplate, error)) {
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
return sq.Select(
IDPTemplateIDCol.identifier(),
IDPTemplateResourceOwnerCol.identifier(),
IDPTemplateCreationDateCol.identifier(),
IDPTemplateChangeDateCol.identifier(),
IDPTemplateSequenceCol.identifier(),
IDPTemplateStateCol.identifier(),
IDPTemplateNameCol.identifier(),
IDPTemplateTypeCol.identifier(),
IDPTemplateOwnerTypeCol.identifier(),
IDPTemplateIsCreationAllowedCol.identifier(),
IDPTemplateIsLinkingAllowedCol.identifier(),
IDPTemplateIsAutoCreationCol.identifier(),
IDPTemplateIsAutoUpdateCol.identifier(),
feat(idp): provide option to auto link user (#7734) * init auto linking * prompt handling * working * translations * console * fixes * unify * custom texts * fix tests * linting * fix check of existing user * fix bg translation * set unspecified as default in the form
2024-04-10 17:46:30 +02:00
IDPTemplateAutoLinkingCol.identifier(),
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
// oauth
OAuthIDCol.identifier(),
OAuthClientIDCol.identifier(),
OAuthClientSecretCol.identifier(),
OAuthAuthorizationEndpointCol.identifier(),
OAuthTokenEndpointCol.identifier(),
OAuthUserEndpointCol.identifier(),
OAuthScopesCol.identifier(),
fix: use of generic oauth provider (#5345) Adds a id_attribute to the GenericOAuthProvider, which is used to map the external User. Further mapping can be done in actions by using the `rawInfo` of the new `ctx.v1.providerInfo` field.
2023-03-03 11:38:49 +01:00
OAuthIDAttributeCol.identifier(),
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
OAuthUsePKCECol.identifier(),
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
// oidc
OIDCIDCol.identifier(),
OIDCIssuerCol.identifier(),
OIDCClientIDCol.identifier(),
OIDCClientSecretCol.identifier(),
OIDCScopesCol.identifier(),
fix: use idToken for mapping when using old configs (#5458) * fix: use idToken for mapping when using old configs * fix events and add tests
2023-03-16 16:47:22 +01:00
OIDCIDTokenMappingCol.identifier(),
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
OIDCUsePKCECol.identifier(),
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
// jwt
JWTIDCol.identifier(),
JWTIssuerCol.identifier(),
JWTEndpointCol.identifier(),
JWTKeysEndpointCol.identifier(),
JWTHeaderNameCol.identifier(),
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
// azure
AzureADIDCol.identifier(),
AzureADClientIDCol.identifier(),
AzureADClientSecretCol.identifier(),
AzureADScopesCol.identifier(),
AzureADTenantCol.identifier(),
AzureADIsEmailVerified.identifier(),
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
// github
GitHubIDCol.identifier(),
GitHubClientIDCol.identifier(),
GitHubClientSecretCol.identifier(),
GitHubScopesCol.identifier(),
// github enterprise
GitHubEnterpriseIDCol.identifier(),
GitHubEnterpriseClientIDCol.identifier(),
GitHubEnterpriseClientSecretCol.identifier(),
GitHubEnterpriseAuthorizationEndpointCol.identifier(),
GitHubEnterpriseTokenEndpointCol.identifier(),
GitHubEnterpriseUserEndpointCol.identifier(),
GitHubEnterpriseScopesCol.identifier(),
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
// gitlab
GitLabIDCol.identifier(),
GitLabClientIDCol.identifier(),
GitLabClientSecretCol.identifier(),
GitLabScopesCol.identifier(),
// gitlab self hosted
GitLabSelfHostedIDCol.identifier(),
GitLabSelfHostedIssuerCol.identifier(),
GitLabSelfHostedClientIDCol.identifier(),
GitLabSelfHostedClientSecretCol.identifier(),
GitLabSelfHostedScopesCol.identifier(),
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
// google
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
GoogleIDCol.identifier(),
GoogleClientIDCol.identifier(),
GoogleClientSecretCol.identifier(),
GoogleScopesCol.identifier(),
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
// saml
SAMLIDCol.identifier(),
SAMLMetadataCol.identifier(),
SAMLKeyCol.identifier(),
SAMLCertificateCol.identifier(),
SAMLBindingCol.identifier(),
SAMLWithSignedRequestCol.identifier(),
feat(saml): allow setting nameid-format and alternative mapping for transient format (#7979) # Which Problems Are Solved ZITADEL currently always uses `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` in SAML requests, relying on the IdP to respect that flag and always return a peristent nameid in order to be able to map the external user with an existing user (idp link) in ZITADEL. In case the IdP however returns a `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` (transient) nameid, the attribute will differ between each request and it will not be possible to match existing users. # How the Problems Are Solved This PR adds the following two options on SAML IdP: - **nameIDFormat**: allows to set the nameid-format used in the SAML Request - **transientMappingAttributeName**: allows to set an attribute name, which will be used instead of the nameid itself in case the returned nameid-format is transient # Additional Changes To reduce impact on current installations, the `idp_templates6_saml` table is altered with the two added columns by a setup job. New installations will automatically get the table with the two columns directly. All idp unit tests are updated to use `expectEventstore` instead of the deprecated `eventstoreExpect`. # Additional Context Closes #7483 Closes #7743 --------- Co-authored-by: peintnermax <max@caos.ch> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-05-23 07:04:07 +02:00
SAMLNameIDFormatCol.identifier(),
SAMLTransientMappingAttributeNameCol.identifier(),
feat: federated logout for SAML IdPs (#9931) # Which Problems Are Solved Currently if a user signs in using an IdP, once they sign out of Zitadel, the corresponding IdP session is not terminated. This can be the desired behavior. In some cases, e.g. when using a shared computer it results in a potential security risk, since a follower user might be able to sign in as the previous using the still open IdP session. # How the Problems Are Solved - Admins can enabled a federated logout option on SAML IdPs through the Admin and Management APIs. - During the termination of a login V1 session using OIDC end_session endpoint, Zitadel will check if an IdP was used to authenticate that session. - In case there was a SAML IdP used with Federated Logout enabled, it will intercept the logout process, store the information into the shared cache and redirect to the federated logout endpoint in the V1 login. - The V1 login federated logout endpoint checks every request on an existing cache entry. On success it will create a SAML logout request for the used IdP and either redirect or POST to the configured SLO endpoint. The cache entry is updated with a `redirected` state. - A SLO endpoint is added to the `/idp` handlers, which will handle the SAML logout responses. At the moment it will check again for an existing federated logout entry (with state `redirected`) in the cache. On success, the user is redirected to the initially provided `post_logout_redirect_uri` from the end_session request. # Additional Changes None # Additional Context - This PR merges the https://github.com/zitadel/zitadel/pull/9841 and https://github.com/zitadel/zitadel/pull/9854 to main, additionally updating the docs on Entra ID SAML. - closes #9228 - backport to 3.x --------- Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
2025-05-23 13:52:25 +02:00
SAMLFederatedLogoutEnabledCol.identifier(),
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
// ldap
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
LDAPIDCol.identifier(),
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
LDAPServersCol.identifier(),
LDAPStartTLSCol.identifier(),
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
LDAPBaseDNCol.identifier(),
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
LDAPBindDNCol.identifier(),
LDAPBindPasswordCol.identifier(),
LDAPUserBaseCol.identifier(),
LDAPUserObjectClassesCol.identifier(),
LDAPUserFiltersCol.identifier(),
LDAPTimeoutCol.identifier(),
feat(ldap): adding root ca option to ldap config (#9292) # Which Problems Are Solved Adding ability to add a root CA to LDAP configs # Additional Context - Closes https://github.com/zitadel/zitadel/issues/7888 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-02-18 10:06:50 +00:00
LDAPRootCACol.identifier(),
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
LDAPIDAttributeCol.identifier(),
LDAPFirstNameAttributeCol.identifier(),
LDAPLastNameAttributeCol.identifier(),
LDAPDisplayNameAttributeCol.identifier(),
LDAPNickNameAttributeCol.identifier(),
LDAPPreferredUsernameAttributeCol.identifier(),
LDAPEmailAttributeCol.identifier(),
LDAPEmailVerifiedAttributeCol.identifier(),
LDAPPhoneAttributeCol.identifier(),
LDAPPhoneVerifiedAttributeCol.identifier(),
LDAPPreferredLanguageAttributeCol.identifier(),
LDAPAvatarURLAttributeCol.identifier(),
LDAPProfileAttributeCol.identifier(),
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
// apple
AppleIDCol.identifier(),
AppleClientIDCol.identifier(),
AppleTeamIDCol.identifier(),
AppleKeyIDCol.identifier(),
ApplePrivateKeyCol.identifier(),
AppleScopesCol.identifier(),
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
).From(idpTemplateTable.identifier()).
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
LeftJoin(join(OAuthIDCol, IDPTemplateIDCol)).
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
LeftJoin(join(OIDCIDCol, IDPTemplateIDCol)).
LeftJoin(join(JWTIDCol, IDPTemplateIDCol)).
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
LeftJoin(join(AzureADIDCol, IDPTemplateIDCol)).
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
LeftJoin(join(GitHubIDCol, IDPTemplateIDCol)).
LeftJoin(join(GitHubEnterpriseIDCol, IDPTemplateIDCol)).
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
LeftJoin(join(GitLabIDCol, IDPTemplateIDCol)).
LeftJoin(join(GitLabSelfHostedIDCol, IDPTemplateIDCol)).
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
LeftJoin(join(GoogleIDCol, IDPTemplateIDCol)).
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
LeftJoin(join(SAMLIDCol, IDPTemplateIDCol)).
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
LeftJoin(join(LDAPIDCol, IDPTemplateIDCol)).
chore!: Introduce ZITADEL v3 (#9645) This PR summarizes multiple changes specifically only available with ZITADEL v3: - feat: Web Keys management (https://github.com/zitadel/zitadel/pull/9526) - fix(cmd): ensure proper working of mirror (https://github.com/zitadel/zitadel/pull/9509) - feat(Authz): system user support for permission check v2 (https://github.com/zitadel/zitadel/pull/9640) - chore(license): change from Apache to AGPL (https://github.com/zitadel/zitadel/pull/9597) - feat(console): list v2 sessions (https://github.com/zitadel/zitadel/pull/9539) - fix(console): add loginV2 feature flag (https://github.com/zitadel/zitadel/pull/9682) - fix(feature flags): allow reading "own" flags (https://github.com/zitadel/zitadel/pull/9649) - feat(console): add Actions V2 UI (https://github.com/zitadel/zitadel/pull/9591) BREAKING CHANGE - feat(webkey): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9445) - chore!: remove CockroachDB Support (https://github.com/zitadel/zitadel/pull/9444) - feat(actions): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9489) --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Ramon <mail@conblem.me> Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Kenta Yamaguchi <56732734+KEY60228@users.noreply.github.com> Co-authored-by: Harsha Reddy <harsha.reddy@klaviyo.com> Co-authored-by: Livio Spring <livio@zitadel.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Iraq <66622793+kkrime@users.noreply.github.com> Co-authored-by: Florian Forster <florian@zitadel.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Max Peintner <peintnerm@gmail.com>
2025-04-02 16:53:06 +02:00
LeftJoin(join(AppleIDCol, IDPTemplateIDCol)).
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
PlaceholderFormat(sq.Dollar),
func(row *sql.Row) (*IDPTemplate, error) {
idpTemplate := new(IDPTemplate)
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
name := sql.NullString{}
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
oauthID := sql.NullString{}
oauthClientID := sql.NullString{}
oauthClientSecret := new(crypto.CryptoValue)
oauthAuthorizationEndpoint := sql.NullString{}
oauthTokenEndpoint := sql.NullString{}
oauthUserEndpoint := sql.NullString{}
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
oauthScopes := database.TextArray[string]{}
fix: use of generic oauth provider (#5345) Adds a id_attribute to the GenericOAuthProvider, which is used to map the external User. Further mapping can be done in actions by using the `rawInfo` of the new `ctx.v1.providerInfo` field.
2023-03-03 11:38:49 +01:00
oauthIDAttribute := sql.NullString{}
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
oauthUserPKCE := sql.NullBool{}
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
oidcID := sql.NullString{}
oidcIssuer := sql.NullString{}
oidcClientID := sql.NullString{}
oidcClientSecret := new(crypto.CryptoValue)
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
oidcScopes := database.TextArray[string]{}
fix: use idToken for mapping when using old configs (#5458) * fix: use idToken for mapping when using old configs * fix events and add tests
2023-03-16 16:47:22 +01:00
oidcIDTokenMapping := sql.NullBool{}
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
oidcUserPKCE := sql.NullBool{}
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
jwtID := sql.NullString{}
jwtIssuer := sql.NullString{}
jwtEndpoint := sql.NullString{}
jwtKeysEndpoint := sql.NullString{}
jwtHeaderName := sql.NullString{}
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
azureadID := sql.NullString{}
azureadClientID := sql.NullString{}
azureadClientSecret := new(crypto.CryptoValue)
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
azureadScopes := database.TextArray[string]{}
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
azureadTenant := sql.NullString{}
azureadIsEmailVerified := sql.NullBool{}
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
githubID := sql.NullString{}
githubClientID := sql.NullString{}
githubClientSecret := new(crypto.CryptoValue)
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
githubScopes := database.TextArray[string]{}
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
githubEnterpriseID := sql.NullString{}
githubEnterpriseClientID := sql.NullString{}
githubEnterpriseClientSecret := new(crypto.CryptoValue)
githubEnterpriseAuthorizationEndpoint := sql.NullString{}
githubEnterpriseTokenEndpoint := sql.NullString{}
githubEnterpriseUserEndpoint := sql.NullString{}
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
githubEnterpriseScopes := database.TextArray[string]{}
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
gitlabID := sql.NullString{}
gitlabClientID := sql.NullString{}
gitlabClientSecret := new(crypto.CryptoValue)
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
gitlabScopes := database.TextArray[string]{}
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
gitlabSelfHostedID := sql.NullString{}
gitlabSelfHostedIssuer := sql.NullString{}
gitlabSelfHostedClientID := sql.NullString{}
gitlabSelfHostedClientSecret := new(crypto.CryptoValue)
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
gitlabSelfHostedScopes := database.TextArray[string]{}
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
googleID := sql.NullString{}
googleClientID := sql.NullString{}
googleClientSecret := new(crypto.CryptoValue)
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
googleScopes := database.TextArray[string]{}
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
samlID := sql.NullString{}
var samlMetadata []byte
samlKey := new(crypto.CryptoValue)
var samlCertificate []byte
samlBinding := sql.NullString{}
samlWithSignedRequest := sql.NullBool{}
feat(saml): allow setting nameid-format and alternative mapping for transient format (#7979) # Which Problems Are Solved ZITADEL currently always uses `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` in SAML requests, relying on the IdP to respect that flag and always return a peristent nameid in order to be able to map the external user with an existing user (idp link) in ZITADEL. In case the IdP however returns a `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` (transient) nameid, the attribute will differ between each request and it will not be possible to match existing users. # How the Problems Are Solved This PR adds the following two options on SAML IdP: - **nameIDFormat**: allows to set the nameid-format used in the SAML Request - **transientMappingAttributeName**: allows to set an attribute name, which will be used instead of the nameid itself in case the returned nameid-format is transient # Additional Changes To reduce impact on current installations, the `idp_templates6_saml` table is altered with the two added columns by a setup job. New installations will automatically get the table with the two columns directly. All idp unit tests are updated to use `expectEventstore` instead of the deprecated `eventstoreExpect`. # Additional Context Closes #7483 Closes #7743 --------- Co-authored-by: peintnermax <max@caos.ch> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-05-23 07:04:07 +02:00
samlNameIDFormat := sql.Null[domain.SAMLNameIDFormat]{}
samlTransientMappingAttributeName := sql.NullString{}
feat: federated logout for SAML IdPs (#9931) # Which Problems Are Solved Currently if a user signs in using an IdP, once they sign out of Zitadel, the corresponding IdP session is not terminated. This can be the desired behavior. In some cases, e.g. when using a shared computer it results in a potential security risk, since a follower user might be able to sign in as the previous using the still open IdP session. # How the Problems Are Solved - Admins can enabled a federated logout option on SAML IdPs through the Admin and Management APIs. - During the termination of a login V1 session using OIDC end_session endpoint, Zitadel will check if an IdP was used to authenticate that session. - In case there was a SAML IdP used with Federated Logout enabled, it will intercept the logout process, store the information into the shared cache and redirect to the federated logout endpoint in the V1 login. - The V1 login federated logout endpoint checks every request on an existing cache entry. On success it will create a SAML logout request for the used IdP and either redirect or POST to the configured SLO endpoint. The cache entry is updated with a `redirected` state. - A SLO endpoint is added to the `/idp` handlers, which will handle the SAML logout responses. At the moment it will check again for an existing federated logout entry (with state `redirected`) in the cache. On success, the user is redirected to the initially provided `post_logout_redirect_uri` from the end_session request. # Additional Changes None # Additional Context - This PR merges the https://github.com/zitadel/zitadel/pull/9841 and https://github.com/zitadel/zitadel/pull/9854 to main, additionally updating the docs on Entra ID SAML. - closes #9228 - backport to 3.x --------- Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
2025-05-23 13:52:25 +02:00
samlFederatedLogoutEnabled := sql.NullBool{}
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
ldapID := sql.NullString{}
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
ldapServers := database.TextArray[string]{}
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
ldapStartTls := sql.NullBool{}
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
ldapBaseDN := sql.NullString{}
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
ldapBindDN := sql.NullString{}
ldapBindPassword := new(crypto.CryptoValue)
ldapUserBase := sql.NullString{}
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
ldapUserObjectClasses := database.TextArray[string]{}
ldapUserFilters := database.TextArray[string]{}
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
ldapTimeout := sql.NullInt64{}
feat(ldap): adding root ca option to ldap config (#9292) # Which Problems Are Solved Adding ability to add a root CA to LDAP configs # Additional Context - Closes https://github.com/zitadel/zitadel/issues/7888 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-02-18 10:06:50 +00:00
var ldapRootCA []byte
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
ldapIDAttribute := sql.NullString{}
ldapFirstNameAttribute := sql.NullString{}
ldapLastNameAttribute := sql.NullString{}
ldapDisplayNameAttribute := sql.NullString{}
ldapNickNameAttribute := sql.NullString{}
ldapPreferredUsernameAttribute := sql.NullString{}
ldapEmailAttribute := sql.NullString{}
ldapEmailVerifiedAttribute := sql.NullString{}
ldapPhoneAttribute := sql.NullString{}
ldapPhoneVerifiedAttribute := sql.NullString{}
ldapPreferredLanguageAttribute := sql.NullString{}
ldapAvatarURLAttribute := sql.NullString{}
ldapProfileAttribute := sql.NullString{}
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
appleID := sql.NullString{}
appleClientID := sql.NullString{}
appleTeamID := sql.NullString{}
appleKeyID := sql.NullString{}
applePrivateKey := new(crypto.CryptoValue)
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
appleScopes := database.TextArray[string]{}
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
err := row.Scan(
&idpTemplate.ID,
&idpTemplate.ResourceOwner,
&idpTemplate.CreationDate,
&idpTemplate.ChangeDate,
&idpTemplate.Sequence,
&idpTemplate.State,
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
&name,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
&idpTemplate.Type,
&idpTemplate.OwnerType,
&idpTemplate.IsCreationAllowed,
&idpTemplate.IsLinkingAllowed,
&idpTemplate.IsAutoCreation,
&idpTemplate.IsAutoUpdate,
feat(idp): provide option to auto link user (#7734) * init auto linking * prompt handling * working * translations * console * fixes * unify * custom texts * fix tests * linting * fix check of existing user * fix bg translation * set unspecified as default in the form
2024-04-10 17:46:30 +02:00
&idpTemplate.AutoLinking,
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
// oauth
&oauthID,
&oauthClientID,
&oauthClientSecret,
&oauthAuthorizationEndpoint,
&oauthTokenEndpoint,
&oauthUserEndpoint,
&oauthScopes,
fix: use of generic oauth provider (#5345) Adds a id_attribute to the GenericOAuthProvider, which is used to map the external User. Further mapping can be done in actions by using the `rawInfo` of the new `ctx.v1.providerInfo` field.
2023-03-03 11:38:49 +01:00
&oauthIDAttribute,
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
&oauthUserPKCE,
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
// oidc
&oidcID,
&oidcIssuer,
&oidcClientID,
&oidcClientSecret,
&oidcScopes,
fix: use idToken for mapping when using old configs (#5458) * fix: use idToken for mapping when using old configs * fix events and add tests
2023-03-16 16:47:22 +01:00
&oidcIDTokenMapping,
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
&oidcUserPKCE,
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
// jwt
&jwtID,
&jwtIssuer,
&jwtEndpoint,
&jwtKeysEndpoint,
&jwtHeaderName,
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
// azure
&azureadID,
&azureadClientID,
&azureadClientSecret,
&azureadScopes,
&azureadTenant,
&azureadIsEmailVerified,
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
// github
&githubID,
&githubClientID,
&githubClientSecret,
&githubScopes,
// github enterprise
&githubEnterpriseID,
&githubEnterpriseClientID,
&githubEnterpriseClientSecret,
&githubEnterpriseAuthorizationEndpoint,
&githubEnterpriseTokenEndpoint,
&githubEnterpriseUserEndpoint,
&githubEnterpriseScopes,
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
// gitlab
&gitlabID,
&gitlabClientID,
&gitlabClientSecret,
&gitlabScopes,
// gitlab self hosted
&gitlabSelfHostedID,
&gitlabSelfHostedIssuer,
&gitlabSelfHostedClientID,
&gitlabSelfHostedClientSecret,
&gitlabSelfHostedScopes,
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
// google
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
&googleID,
&googleClientID,
&googleClientSecret,
&googleScopes,
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
// saml
&samlID,
&samlMetadata,
&samlKey,
&samlCertificate,
&samlBinding,
&samlWithSignedRequest,
feat(saml): allow setting nameid-format and alternative mapping for transient format (#7979) # Which Problems Are Solved ZITADEL currently always uses `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` in SAML requests, relying on the IdP to respect that flag and always return a peristent nameid in order to be able to map the external user with an existing user (idp link) in ZITADEL. In case the IdP however returns a `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` (transient) nameid, the attribute will differ between each request and it will not be possible to match existing users. # How the Problems Are Solved This PR adds the following two options on SAML IdP: - **nameIDFormat**: allows to set the nameid-format used in the SAML Request - **transientMappingAttributeName**: allows to set an attribute name, which will be used instead of the nameid itself in case the returned nameid-format is transient # Additional Changes To reduce impact on current installations, the `idp_templates6_saml` table is altered with the two added columns by a setup job. New installations will automatically get the table with the two columns directly. All idp unit tests are updated to use `expectEventstore` instead of the deprecated `eventstoreExpect`. # Additional Context Closes #7483 Closes #7743 --------- Co-authored-by: peintnermax <max@caos.ch> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-05-23 07:04:07 +02:00
&samlNameIDFormat,
&samlTransientMappingAttributeName,
feat: federated logout for SAML IdPs (#9931) # Which Problems Are Solved Currently if a user signs in using an IdP, once they sign out of Zitadel, the corresponding IdP session is not terminated. This can be the desired behavior. In some cases, e.g. when using a shared computer it results in a potential security risk, since a follower user might be able to sign in as the previous using the still open IdP session. # How the Problems Are Solved - Admins can enabled a federated logout option on SAML IdPs through the Admin and Management APIs. - During the termination of a login V1 session using OIDC end_session endpoint, Zitadel will check if an IdP was used to authenticate that session. - In case there was a SAML IdP used with Federated Logout enabled, it will intercept the logout process, store the information into the shared cache and redirect to the federated logout endpoint in the V1 login. - The V1 login federated logout endpoint checks every request on an existing cache entry. On success it will create a SAML logout request for the used IdP and either redirect or POST to the configured SLO endpoint. The cache entry is updated with a `redirected` state. - A SLO endpoint is added to the `/idp` handlers, which will handle the SAML logout responses. At the moment it will check again for an existing federated logout entry (with state `redirected`) in the cache. On success, the user is redirected to the initially provided `post_logout_redirect_uri` from the end_session request. # Additional Changes None # Additional Context - This PR merges the https://github.com/zitadel/zitadel/pull/9841 and https://github.com/zitadel/zitadel/pull/9854 to main, additionally updating the docs on Entra ID SAML. - closes #9228 - backport to 3.x --------- Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
2025-05-23 13:52:25 +02:00
&samlFederatedLogoutEnabled,
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
// ldap
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
&ldapID,
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
&ldapServers,
&ldapStartTls,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
&ldapBaseDN,
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
&ldapBindDN,
&ldapBindPassword,
&ldapUserBase,
&ldapUserObjectClasses,
&ldapUserFilters,
&ldapTimeout,
feat(ldap): adding root ca option to ldap config (#9292) # Which Problems Are Solved Adding ability to add a root CA to LDAP configs # Additional Context - Closes https://github.com/zitadel/zitadel/issues/7888 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-02-18 10:06:50 +00:00
&ldapRootCA,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
&ldapIDAttribute,
&ldapFirstNameAttribute,
&ldapLastNameAttribute,
&ldapDisplayNameAttribute,
&ldapNickNameAttribute,
&ldapPreferredUsernameAttribute,
&ldapEmailAttribute,
&ldapEmailVerifiedAttribute,
&ldapPhoneAttribute,
&ldapPhoneVerifiedAttribute,
&ldapPreferredLanguageAttribute,
&ldapAvatarURLAttribute,
&ldapProfileAttribute,
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
// apple
&appleID,
&appleClientID,
&appleTeamID,
&appleKeyID,
&applePrivateKey,
&appleScopes,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
)
if err != nil {
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com>
2023-12-08 16:30:55 +02:00
if errors.Is(err, sql.ErrNoRows) {
return nil, zerrors.ThrowNotFound(err, "QUERY-SAFrt", "Errors.IDPConfig.NotExisting")
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
}
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com>
2023-12-08 16:30:55 +02:00
return nil, zerrors.ThrowInternal(err, "QUERY-ADG42", "Errors.Internal")
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
}
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
idpTemplate.Name = name.String
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
if oauthID.Valid {
idpTemplate.OAuthIDPTemplate = &OAuthIDPTemplate{
IDPID: oauthID.String,
ClientID: oauthClientID.String,
ClientSecret: oauthClientSecret,
AuthorizationEndpoint: oauthAuthorizationEndpoint.String,
TokenEndpoint: oauthTokenEndpoint.String,
UserEndpoint: oauthUserEndpoint.String,
Scopes: oauthScopes,
fix: use of generic oauth provider (#5345) Adds a id_attribute to the GenericOAuthProvider, which is used to map the external User. Further mapping can be done in actions by using the `rawInfo` of the new `ctx.v1.providerInfo` field.
2023-03-03 11:38:49 +01:00
IDAttribute: oauthIDAttribute.String,
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
UsePKCE: oauthUserPKCE.Bool,
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
}
}
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
if oidcID.Valid {
idpTemplate.OIDCIDPTemplate = &OIDCIDPTemplate{
fix: use idToken for mapping when using old configs (#5458) * fix: use idToken for mapping when using old configs * fix events and add tests
2023-03-16 16:47:22 +01:00
IDPID: oidcID.String,
ClientID: oidcClientID.String,
ClientSecret: oidcClientSecret,
Issuer: oidcIssuer.String,
Scopes: oidcScopes,
IsIDTokenMapping: oidcIDTokenMapping.Bool,
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
UsePKCE: oidcUserPKCE.Bool,
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
}
}
if jwtID.Valid {
idpTemplate.JWTIDPTemplate = &JWTIDPTemplate{
IDPID: jwtID.String,
Issuer: jwtIssuer.String,
KeysEndpoint: jwtKeysEndpoint.String,
HeaderName: jwtHeaderName.String,
Endpoint: jwtEndpoint.String,
}
}
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
if azureadID.Valid {
idpTemplate.AzureADIDPTemplate = &AzureADIDPTemplate{
IDPID: azureadID.String,
ClientID: azureadClientID.String,
ClientSecret: azureadClientSecret,
Scopes: azureadScopes,
Tenant: azureadTenant.String,
IsEmailVerified: azureadIsEmailVerified.Bool,
}
}
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
if githubID.Valid {
idpTemplate.GitHubIDPTemplate = &GitHubIDPTemplate{
IDPID: githubID.String,
ClientID: githubClientID.String,
ClientSecret: githubClientSecret,
Scopes: githubScopes,
}
}
if githubEnterpriseID.Valid {
idpTemplate.GitHubEnterpriseIDPTemplate = &GitHubEnterpriseIDPTemplate{
IDPID: githubEnterpriseID.String,
ClientID: githubEnterpriseClientID.String,
ClientSecret: githubEnterpriseClientSecret,
AuthorizationEndpoint: githubEnterpriseAuthorizationEndpoint.String,
TokenEndpoint: githubEnterpriseTokenEndpoint.String,
UserEndpoint: githubEnterpriseUserEndpoint.String,
Scopes: githubEnterpriseScopes,
}
}
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
if gitlabID.Valid {
idpTemplate.GitLabIDPTemplate = &GitLabIDPTemplate{
IDPID: gitlabID.String,
ClientID: gitlabClientID.String,
ClientSecret: gitlabClientSecret,
Scopes: gitlabScopes,
}
}
if gitlabSelfHostedID.Valid {
idpTemplate.GitLabSelfHostedIDPTemplate = &GitLabSelfHostedIDPTemplate{
IDPID: gitlabSelfHostedID.String,
Issuer: gitlabSelfHostedIssuer.String,
ClientID: gitlabSelfHostedClientID.String,
ClientSecret: gitlabSelfHostedClientSecret,
Scopes: gitlabSelfHostedScopes,
}
}
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
if googleID.Valid {
idpTemplate.GoogleIDPTemplate = &GoogleIDPTemplate{
IDPID: googleID.String,
ClientID: googleClientID.String,
ClientSecret: googleClientSecret,
Scopes: googleScopes,
}
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
}
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
if samlID.Valid {
idpTemplate.SAMLIDPTemplate = &SAMLIDPTemplate{
feat(saml): allow setting nameid-format and alternative mapping for transient format (#7979) # Which Problems Are Solved ZITADEL currently always uses `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` in SAML requests, relying on the IdP to respect that flag and always return a peristent nameid in order to be able to map the external user with an existing user (idp link) in ZITADEL. In case the IdP however returns a `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` (transient) nameid, the attribute will differ between each request and it will not be possible to match existing users. # How the Problems Are Solved This PR adds the following two options on SAML IdP: - **nameIDFormat**: allows to set the nameid-format used in the SAML Request - **transientMappingAttributeName**: allows to set an attribute name, which will be used instead of the nameid itself in case the returned nameid-format is transient # Additional Changes To reduce impact on current installations, the `idp_templates6_saml` table is altered with the two added columns by a setup job. New installations will automatically get the table with the two columns directly. All idp unit tests are updated to use `expectEventstore` instead of the deprecated `eventstoreExpect`. # Additional Context Closes #7483 Closes #7743 --------- Co-authored-by: peintnermax <max@caos.ch> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-05-23 07:04:07 +02:00
IDPID: samlID.String,
Metadata: samlMetadata,
Key: samlKey,
Certificate: samlCertificate,
Binding: samlBinding.String,
WithSignedRequest: samlWithSignedRequest.Bool,
NameIDFormat: samlNameIDFormat,
TransientMappingAttributeName: samlTransientMappingAttributeName.String,
feat: federated logout for SAML IdPs (#9931) # Which Problems Are Solved Currently if a user signs in using an IdP, once they sign out of Zitadel, the corresponding IdP session is not terminated. This can be the desired behavior. In some cases, e.g. when using a shared computer it results in a potential security risk, since a follower user might be able to sign in as the previous using the still open IdP session. # How the Problems Are Solved - Admins can enabled a federated logout option on SAML IdPs through the Admin and Management APIs. - During the termination of a login V1 session using OIDC end_session endpoint, Zitadel will check if an IdP was used to authenticate that session. - In case there was a SAML IdP used with Federated Logout enabled, it will intercept the logout process, store the information into the shared cache and redirect to the federated logout endpoint in the V1 login. - The V1 login federated logout endpoint checks every request on an existing cache entry. On success it will create a SAML logout request for the used IdP and either redirect or POST to the configured SLO endpoint. The cache entry is updated with a `redirected` state. - A SLO endpoint is added to the `/idp` handlers, which will handle the SAML logout responses. At the moment it will check again for an existing federated logout entry (with state `redirected`) in the cache. On success, the user is redirected to the initially provided `post_logout_redirect_uri` from the end_session request. # Additional Changes None # Additional Context - This PR merges the https://github.com/zitadel/zitadel/pull/9841 and https://github.com/zitadel/zitadel/pull/9854 to main, additionally updating the docs on Entra ID SAML. - closes #9228 - backport to 3.x --------- Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
2025-05-23 13:52:25 +02:00
FederatedLogoutEnabled: samlFederatedLogoutEnabled.Bool,
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
}
}
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
if ldapID.Valid {
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
idpTemplate.LDAPIDPTemplate = &LDAPIDPTemplate{
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
IDPID: ldapID.String,
Servers: ldapServers,
StartTLS: ldapStartTls.Bool,
BaseDN: ldapBaseDN.String,
BindDN: ldapBindDN.String,
BindPassword: ldapBindPassword,
UserBase: ldapUserBase.String,
UserObjectClasses: ldapUserObjectClasses,
UserFilters: ldapUserFilters,
Timeout: time.Duration(ldapTimeout.Int64),
feat(ldap): adding root ca option to ldap config (#9292) # Which Problems Are Solved Adding ability to add a root CA to LDAP configs # Additional Context - Closes https://github.com/zitadel/zitadel/issues/7888 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-02-18 10:06:50 +00:00
RootCA: ldapRootCA,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
LDAPAttributes: idp.LDAPAttributes{
IDAttribute: ldapIDAttribute.String,
FirstNameAttribute: ldapFirstNameAttribute.String,
LastNameAttribute: ldapLastNameAttribute.String,
DisplayNameAttribute: ldapDisplayNameAttribute.String,
NickNameAttribute: ldapNickNameAttribute.String,
PreferredUsernameAttribute: ldapPreferredUsernameAttribute.String,
EmailAttribute: ldapEmailAttribute.String,
EmailVerifiedAttribute: ldapEmailVerifiedAttribute.String,
PhoneAttribute: ldapPhoneAttribute.String,
PhoneVerifiedAttribute: ldapPhoneVerifiedAttribute.String,
PreferredLanguageAttribute: ldapPreferredLanguageAttribute.String,
AvatarURLAttribute: ldapAvatarURLAttribute.String,
ProfileAttribute: ldapProfileAttribute.String,
},
}
}
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
if appleID.Valid {
idpTemplate.AppleIDPTemplate = &AppleIDPTemplate{
IDPID: appleID.String,
ClientID: appleClientID.String,
TeamID: appleTeamID.String,
KeyID: appleKeyID.String,
PrivateKey: applePrivateKey,
Scopes: appleScopes,
}
}
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
return idpTemplate, nil
}
}
chore!: Introduce ZITADEL v3 (#9645) This PR summarizes multiple changes specifically only available with ZITADEL v3: - feat: Web Keys management (https://github.com/zitadel/zitadel/pull/9526) - fix(cmd): ensure proper working of mirror (https://github.com/zitadel/zitadel/pull/9509) - feat(Authz): system user support for permission check v2 (https://github.com/zitadel/zitadel/pull/9640) - chore(license): change from Apache to AGPL (https://github.com/zitadel/zitadel/pull/9597) - feat(console): list v2 sessions (https://github.com/zitadel/zitadel/pull/9539) - fix(console): add loginV2 feature flag (https://github.com/zitadel/zitadel/pull/9682) - fix(feature flags): allow reading "own" flags (https://github.com/zitadel/zitadel/pull/9649) - feat(console): add Actions V2 UI (https://github.com/zitadel/zitadel/pull/9591) BREAKING CHANGE - feat(webkey): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9445) - chore!: remove CockroachDB Support (https://github.com/zitadel/zitadel/pull/9444) - feat(actions): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9489) --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Ramon <mail@conblem.me> Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Kenta Yamaguchi <56732734+KEY60228@users.noreply.github.com> Co-authored-by: Harsha Reddy <harsha.reddy@klaviyo.com> Co-authored-by: Livio Spring <livio@zitadel.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Iraq <66622793+kkrime@users.noreply.github.com> Co-authored-by: Florian Forster <florian@zitadel.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Max Peintner <peintnerm@gmail.com>
2025-04-02 16:53:06 +02:00
//nolint:gocognit
func prepareIDPTemplatesQuery() (sq.SelectBuilder, func(*sql.Rows) (*IDPTemplates, error)) {
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
return sq.Select(
IDPTemplateIDCol.identifier(),
IDPTemplateResourceOwnerCol.identifier(),
IDPTemplateCreationDateCol.identifier(),
IDPTemplateChangeDateCol.identifier(),
IDPTemplateSequenceCol.identifier(),
IDPTemplateStateCol.identifier(),
IDPTemplateNameCol.identifier(),
IDPTemplateTypeCol.identifier(),
IDPTemplateOwnerTypeCol.identifier(),
IDPTemplateIsCreationAllowedCol.identifier(),
IDPTemplateIsLinkingAllowedCol.identifier(),
IDPTemplateIsAutoCreationCol.identifier(),
IDPTemplateIsAutoUpdateCol.identifier(),
feat(idp): provide option to auto link user (#7734) * init auto linking * prompt handling * working * translations * console * fixes * unify * custom texts * fix tests * linting * fix check of existing user * fix bg translation * set unspecified as default in the form
2024-04-10 17:46:30 +02:00
IDPTemplateAutoLinkingCol.identifier(),
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
// oauth
OAuthIDCol.identifier(),
OAuthClientIDCol.identifier(),
OAuthClientSecretCol.identifier(),
OAuthAuthorizationEndpointCol.identifier(),
OAuthTokenEndpointCol.identifier(),
OAuthUserEndpointCol.identifier(),
OAuthScopesCol.identifier(),
fix: use of generic oauth provider (#5345) Adds a id_attribute to the GenericOAuthProvider, which is used to map the external User. Further mapping can be done in actions by using the `rawInfo` of the new `ctx.v1.providerInfo` field.
2023-03-03 11:38:49 +01:00
OAuthIDAttributeCol.identifier(),
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
OAuthUsePKCECol.identifier(),
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
// oidc
OIDCIDCol.identifier(),
OIDCIssuerCol.identifier(),
OIDCClientIDCol.identifier(),
OIDCClientSecretCol.identifier(),
OIDCScopesCol.identifier(),
fix: use idToken for mapping when using old configs (#5458) * fix: use idToken for mapping when using old configs * fix events and add tests
2023-03-16 16:47:22 +01:00
OIDCIDTokenMappingCol.identifier(),
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
OIDCUsePKCECol.identifier(),
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
// jwt
JWTIDCol.identifier(),
JWTIssuerCol.identifier(),
JWTEndpointCol.identifier(),
JWTKeysEndpointCol.identifier(),
JWTHeaderNameCol.identifier(),
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
// azure
AzureADIDCol.identifier(),
AzureADClientIDCol.identifier(),
AzureADClientSecretCol.identifier(),
AzureADScopesCol.identifier(),
AzureADTenantCol.identifier(),
AzureADIsEmailVerified.identifier(),
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
// github
GitHubIDCol.identifier(),
GitHubClientIDCol.identifier(),
GitHubClientSecretCol.identifier(),
GitHubScopesCol.identifier(),
// github enterprise
GitHubEnterpriseIDCol.identifier(),
GitHubEnterpriseClientIDCol.identifier(),
GitHubEnterpriseClientSecretCol.identifier(),
GitHubEnterpriseAuthorizationEndpointCol.identifier(),
GitHubEnterpriseTokenEndpointCol.identifier(),
GitHubEnterpriseUserEndpointCol.identifier(),
GitHubEnterpriseScopesCol.identifier(),
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
// gitlab
GitLabIDCol.identifier(),
GitLabClientIDCol.identifier(),
GitLabClientSecretCol.identifier(),
GitLabScopesCol.identifier(),
// gitlab self hosted
GitLabSelfHostedIDCol.identifier(),
GitLabSelfHostedIssuerCol.identifier(),
GitLabSelfHostedClientIDCol.identifier(),
GitLabSelfHostedClientSecretCol.identifier(),
GitLabSelfHostedScopesCol.identifier(),
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
// google
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
GoogleIDCol.identifier(),
GoogleClientIDCol.identifier(),
GoogleClientSecretCol.identifier(),
GoogleScopesCol.identifier(),
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
// saml
SAMLIDCol.identifier(),
SAMLMetadataCol.identifier(),
SAMLKeyCol.identifier(),
SAMLCertificateCol.identifier(),
SAMLBindingCol.identifier(),
SAMLWithSignedRequestCol.identifier(),
feat(saml): allow setting nameid-format and alternative mapping for transient format (#7979) # Which Problems Are Solved ZITADEL currently always uses `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` in SAML requests, relying on the IdP to respect that flag and always return a peristent nameid in order to be able to map the external user with an existing user (idp link) in ZITADEL. In case the IdP however returns a `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` (transient) nameid, the attribute will differ between each request and it will not be possible to match existing users. # How the Problems Are Solved This PR adds the following two options on SAML IdP: - **nameIDFormat**: allows to set the nameid-format used in the SAML Request - **transientMappingAttributeName**: allows to set an attribute name, which will be used instead of the nameid itself in case the returned nameid-format is transient # Additional Changes To reduce impact on current installations, the `idp_templates6_saml` table is altered with the two added columns by a setup job. New installations will automatically get the table with the two columns directly. All idp unit tests are updated to use `expectEventstore` instead of the deprecated `eventstoreExpect`. # Additional Context Closes #7483 Closes #7743 --------- Co-authored-by: peintnermax <max@caos.ch> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-05-23 07:04:07 +02:00
SAMLNameIDFormatCol.identifier(),
SAMLTransientMappingAttributeNameCol.identifier(),
feat: federated logout for SAML IdPs (#9931) # Which Problems Are Solved Currently if a user signs in using an IdP, once they sign out of Zitadel, the corresponding IdP session is not terminated. This can be the desired behavior. In some cases, e.g. when using a shared computer it results in a potential security risk, since a follower user might be able to sign in as the previous using the still open IdP session. # How the Problems Are Solved - Admins can enabled a federated logout option on SAML IdPs through the Admin and Management APIs. - During the termination of a login V1 session using OIDC end_session endpoint, Zitadel will check if an IdP was used to authenticate that session. - In case there was a SAML IdP used with Federated Logout enabled, it will intercept the logout process, store the information into the shared cache and redirect to the federated logout endpoint in the V1 login. - The V1 login federated logout endpoint checks every request on an existing cache entry. On success it will create a SAML logout request for the used IdP and either redirect or POST to the configured SLO endpoint. The cache entry is updated with a `redirected` state. - A SLO endpoint is added to the `/idp` handlers, which will handle the SAML logout responses. At the moment it will check again for an existing federated logout entry (with state `redirected`) in the cache. On success, the user is redirected to the initially provided `post_logout_redirect_uri` from the end_session request. # Additional Changes None # Additional Context - This PR merges the https://github.com/zitadel/zitadel/pull/9841 and https://github.com/zitadel/zitadel/pull/9854 to main, additionally updating the docs on Entra ID SAML. - closes #9228 - backport to 3.x --------- Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
2025-05-23 13:52:25 +02:00
SAMLFederatedLogoutEnabledCol.identifier(),
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
// ldap
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
LDAPIDCol.identifier(),
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
LDAPServersCol.identifier(),
LDAPStartTLSCol.identifier(),
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
LDAPBaseDNCol.identifier(),
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
LDAPBindDNCol.identifier(),
LDAPBindPasswordCol.identifier(),
LDAPUserBaseCol.identifier(),
LDAPUserObjectClassesCol.identifier(),
LDAPUserFiltersCol.identifier(),
LDAPTimeoutCol.identifier(),
feat(ldap): adding root ca option to ldap config (#9292) # Which Problems Are Solved Adding ability to add a root CA to LDAP configs # Additional Context - Closes https://github.com/zitadel/zitadel/issues/7888 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-02-18 10:06:50 +00:00
LDAPRootCACol.identifier(),
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
LDAPIDAttributeCol.identifier(),
LDAPFirstNameAttributeCol.identifier(),
LDAPLastNameAttributeCol.identifier(),
LDAPDisplayNameAttributeCol.identifier(),
LDAPNickNameAttributeCol.identifier(),
LDAPPreferredUsernameAttributeCol.identifier(),
LDAPEmailAttributeCol.identifier(),
LDAPEmailVerifiedAttributeCol.identifier(),
LDAPPhoneAttributeCol.identifier(),
LDAPPhoneVerifiedAttributeCol.identifier(),
LDAPPreferredLanguageAttributeCol.identifier(),
LDAPAvatarURLAttributeCol.identifier(),
LDAPProfileAttributeCol.identifier(),
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
// apple
AppleIDCol.identifier(),
AppleClientIDCol.identifier(),
AppleTeamIDCol.identifier(),
AppleKeyIDCol.identifier(),
ApplePrivateKeyCol.identifier(),
AppleScopesCol.identifier(),
// count
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
countColumn.identifier(),
).From(idpTemplateTable.identifier()).
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
LeftJoin(join(OAuthIDCol, IDPTemplateIDCol)).
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
LeftJoin(join(OIDCIDCol, IDPTemplateIDCol)).
LeftJoin(join(JWTIDCol, IDPTemplateIDCol)).
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
LeftJoin(join(AzureADIDCol, IDPTemplateIDCol)).
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
LeftJoin(join(GitHubIDCol, IDPTemplateIDCol)).
LeftJoin(join(GitHubEnterpriseIDCol, IDPTemplateIDCol)).
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
LeftJoin(join(GitLabIDCol, IDPTemplateIDCol)).
LeftJoin(join(GitLabSelfHostedIDCol, IDPTemplateIDCol)).
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
LeftJoin(join(GoogleIDCol, IDPTemplateIDCol)).
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
LeftJoin(join(SAMLIDCol, IDPTemplateIDCol)).
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
LeftJoin(join(LDAPIDCol, IDPTemplateIDCol)).
chore!: Introduce ZITADEL v3 (#9645) This PR summarizes multiple changes specifically only available with ZITADEL v3: - feat: Web Keys management (https://github.com/zitadel/zitadel/pull/9526) - fix(cmd): ensure proper working of mirror (https://github.com/zitadel/zitadel/pull/9509) - feat(Authz): system user support for permission check v2 (https://github.com/zitadel/zitadel/pull/9640) - chore(license): change from Apache to AGPL (https://github.com/zitadel/zitadel/pull/9597) - feat(console): list v2 sessions (https://github.com/zitadel/zitadel/pull/9539) - fix(console): add loginV2 feature flag (https://github.com/zitadel/zitadel/pull/9682) - fix(feature flags): allow reading "own" flags (https://github.com/zitadel/zitadel/pull/9649) - feat(console): add Actions V2 UI (https://github.com/zitadel/zitadel/pull/9591) BREAKING CHANGE - feat(webkey): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9445) - chore!: remove CockroachDB Support (https://github.com/zitadel/zitadel/pull/9444) - feat(actions): migrate to v2beta API (https://github.com/zitadel/zitadel/pull/9489) --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Ramon <mail@conblem.me> Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Kenta Yamaguchi <56732734+KEY60228@users.noreply.github.com> Co-authored-by: Harsha Reddy <harsha.reddy@klaviyo.com> Co-authored-by: Livio Spring <livio@zitadel.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Iraq <66622793+kkrime@users.noreply.github.com> Co-authored-by: Florian Forster <florian@zitadel.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Max Peintner <peintnerm@gmail.com>
2025-04-02 16:53:06 +02:00
LeftJoin(join(AppleIDCol, IDPTemplateIDCol)).
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
PlaceholderFormat(sq.Dollar),
func(rows *sql.Rows) (*IDPTemplates, error) {
templates := make([]*IDPTemplate, 0)
var count uint64
for rows.Next() {
idpTemplate := new(IDPTemplate)
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
name := sql.NullString{}
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
oauthID := sql.NullString{}
oauthClientID := sql.NullString{}
oauthClientSecret := new(crypto.CryptoValue)
oauthAuthorizationEndpoint := sql.NullString{}
oauthTokenEndpoint := sql.NullString{}
oauthUserEndpoint := sql.NullString{}
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
oauthScopes := database.TextArray[string]{}
fix: use of generic oauth provider (#5345) Adds a id_attribute to the GenericOAuthProvider, which is used to map the external User. Further mapping can be done in actions by using the `rawInfo` of the new `ctx.v1.providerInfo` field.
2023-03-03 11:38:49 +01:00
oauthIDAttribute := sql.NullString{}
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
oauthUserPKCE := sql.NullBool{}
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
oidcID := sql.NullString{}
oidcIssuer := sql.NullString{}
oidcClientID := sql.NullString{}
oidcClientSecret := new(crypto.CryptoValue)
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
oidcScopes := database.TextArray[string]{}
fix: use idToken for mapping when using old configs (#5458) * fix: use idToken for mapping when using old configs * fix events and add tests
2023-03-16 16:47:22 +01:00
oidcIDTokenMapping := sql.NullBool{}
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
oidcUserPKCE := sql.NullBool{}
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
jwtID := sql.NullString{}
jwtIssuer := sql.NullString{}
jwtEndpoint := sql.NullString{}
jwtKeysEndpoint := sql.NullString{}
jwtHeaderName := sql.NullString{}
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
azureadID := sql.NullString{}
azureadClientID := sql.NullString{}
azureadClientSecret := new(crypto.CryptoValue)
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
azureadScopes := database.TextArray[string]{}
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
azureadTenant := sql.NullString{}
azureadIsEmailVerified := sql.NullBool{}
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
githubID := sql.NullString{}
githubClientID := sql.NullString{}
githubClientSecret := new(crypto.CryptoValue)
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
githubScopes := database.TextArray[string]{}
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
githubEnterpriseID := sql.NullString{}
githubEnterpriseClientID := sql.NullString{}
githubEnterpriseClientSecret := new(crypto.CryptoValue)
githubEnterpriseAuthorizationEndpoint := sql.NullString{}
githubEnterpriseTokenEndpoint := sql.NullString{}
githubEnterpriseUserEndpoint := sql.NullString{}
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
githubEnterpriseScopes := database.TextArray[string]{}
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
gitlabID := sql.NullString{}
gitlabClientID := sql.NullString{}
gitlabClientSecret := new(crypto.CryptoValue)
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
gitlabScopes := database.TextArray[string]{}
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
gitlabSelfHostedID := sql.NullString{}
gitlabSelfHostedIssuer := sql.NullString{}
gitlabSelfHostedClientID := sql.NullString{}
gitlabSelfHostedClientSecret := new(crypto.CryptoValue)
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
gitlabSelfHostedScopes := database.TextArray[string]{}
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
googleID := sql.NullString{}
googleClientID := sql.NullString{}
googleClientSecret := new(crypto.CryptoValue)
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
googleScopes := database.TextArray[string]{}
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
samlID := sql.NullString{}
var samlMetadata []byte
samlKey := new(crypto.CryptoValue)
var samlCertificate []byte
samlBinding := sql.NullString{}
samlWithSignedRequest := sql.NullBool{}
feat(saml): allow setting nameid-format and alternative mapping for transient format (#7979) # Which Problems Are Solved ZITADEL currently always uses `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` in SAML requests, relying on the IdP to respect that flag and always return a peristent nameid in order to be able to map the external user with an existing user (idp link) in ZITADEL. In case the IdP however returns a `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` (transient) nameid, the attribute will differ between each request and it will not be possible to match existing users. # How the Problems Are Solved This PR adds the following two options on SAML IdP: - **nameIDFormat**: allows to set the nameid-format used in the SAML Request - **transientMappingAttributeName**: allows to set an attribute name, which will be used instead of the nameid itself in case the returned nameid-format is transient # Additional Changes To reduce impact on current installations, the `idp_templates6_saml` table is altered with the two added columns by a setup job. New installations will automatically get the table with the two columns directly. All idp unit tests are updated to use `expectEventstore` instead of the deprecated `eventstoreExpect`. # Additional Context Closes #7483 Closes #7743 --------- Co-authored-by: peintnermax <max@caos.ch> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-05-23 07:04:07 +02:00
samlNameIDFormat := sql.Null[domain.SAMLNameIDFormat]{}
samlTransientMappingAttributeName := sql.NullString{}
feat: federated logout for SAML IdPs (#9931) # Which Problems Are Solved Currently if a user signs in using an IdP, once they sign out of Zitadel, the corresponding IdP session is not terminated. This can be the desired behavior. In some cases, e.g. when using a shared computer it results in a potential security risk, since a follower user might be able to sign in as the previous using the still open IdP session. # How the Problems Are Solved - Admins can enabled a federated logout option on SAML IdPs through the Admin and Management APIs. - During the termination of a login V1 session using OIDC end_session endpoint, Zitadel will check if an IdP was used to authenticate that session. - In case there was a SAML IdP used with Federated Logout enabled, it will intercept the logout process, store the information into the shared cache and redirect to the federated logout endpoint in the V1 login. - The V1 login federated logout endpoint checks every request on an existing cache entry. On success it will create a SAML logout request for the used IdP and either redirect or POST to the configured SLO endpoint. The cache entry is updated with a `redirected` state. - A SLO endpoint is added to the `/idp` handlers, which will handle the SAML logout responses. At the moment it will check again for an existing federated logout entry (with state `redirected`) in the cache. On success, the user is redirected to the initially provided `post_logout_redirect_uri` from the end_session request. # Additional Changes None # Additional Context - This PR merges the https://github.com/zitadel/zitadel/pull/9841 and https://github.com/zitadel/zitadel/pull/9854 to main, additionally updating the docs on Entra ID SAML. - closes #9228 - backport to 3.x --------- Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
2025-05-23 13:52:25 +02:00
samlFederatedLogoutEnabled := sql.NullBool{}
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
ldapID := sql.NullString{}
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
ldapServers := database.TextArray[string]{}
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
ldapStartTls := sql.NullBool{}
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
ldapBaseDN := sql.NullString{}
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
ldapBindDN := sql.NullString{}
ldapBindPassword := new(crypto.CryptoValue)
ldapUserBase := sql.NullString{}
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
ldapUserObjectClasses := database.TextArray[string]{}
ldapUserFilters := database.TextArray[string]{}
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
ldapTimeout := sql.NullInt64{}
feat(ldap): adding root ca option to ldap config (#9292) # Which Problems Are Solved Adding ability to add a root CA to LDAP configs # Additional Context - Closes https://github.com/zitadel/zitadel/issues/7888 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-02-18 10:06:50 +00:00
var ldapRootCA []byte
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
ldapIDAttribute := sql.NullString{}
ldapFirstNameAttribute := sql.NullString{}
ldapLastNameAttribute := sql.NullString{}
ldapDisplayNameAttribute := sql.NullString{}
ldapNickNameAttribute := sql.NullString{}
ldapPreferredUsernameAttribute := sql.NullString{}
ldapEmailAttribute := sql.NullString{}
ldapEmailVerifiedAttribute := sql.NullString{}
ldapPhoneAttribute := sql.NullString{}
ldapPhoneVerifiedAttribute := sql.NullString{}
ldapPreferredLanguageAttribute := sql.NullString{}
ldapAvatarURLAttribute := sql.NullString{}
ldapProfileAttribute := sql.NullString{}
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
appleID := sql.NullString{}
appleClientID := sql.NullString{}
appleTeamID := sql.NullString{}
appleKeyID := sql.NullString{}
applePrivateKey := new(crypto.CryptoValue)
feat(eventstore): increase parallel write capabilities (#5940) This implementation increases parallel write capabilities of the eventstore. Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and [06](https://zitadel.com/docs/support/advisory/a10006). The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`. If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
appleScopes := database.TextArray[string]{}
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
err := rows.Scan(
&idpTemplate.ID,
&idpTemplate.ResourceOwner,
&idpTemplate.CreationDate,
&idpTemplate.ChangeDate,
&idpTemplate.Sequence,
&idpTemplate.State,
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
&name,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
&idpTemplate.Type,
&idpTemplate.OwnerType,
&idpTemplate.IsCreationAllowed,
&idpTemplate.IsLinkingAllowed,
&idpTemplate.IsAutoCreation,
&idpTemplate.IsAutoUpdate,
feat(idp): provide option to auto link user (#7734) * init auto linking * prompt handling * working * translations * console * fixes * unify * custom texts * fix tests * linting * fix check of existing user * fix bg translation * set unspecified as default in the form
2024-04-10 17:46:30 +02:00
&idpTemplate.AutoLinking,
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
// oauth
&oauthID,
&oauthClientID,
&oauthClientSecret,
&oauthAuthorizationEndpoint,
&oauthTokenEndpoint,
&oauthUserEndpoint,
&oauthScopes,
fix: use of generic oauth provider (#5345) Adds a id_attribute to the GenericOAuthProvider, which is used to map the external User. Further mapping can be done in actions by using the `rawInfo` of the new `ctx.v1.providerInfo` field.
2023-03-03 11:38:49 +01:00
&oauthIDAttribute,
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
&oauthUserPKCE,
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
// oidc
&oidcID,
&oidcIssuer,
&oidcClientID,
&oidcClientSecret,
&oidcScopes,
fix: use idToken for mapping when using old configs (#5458) * fix: use idToken for mapping when using old configs * fix events and add tests
2023-03-16 16:47:22 +01:00
&oidcIDTokenMapping,
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
&oidcUserPKCE,
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
// jwt
&jwtID,
&jwtIssuer,
&jwtEndpoint,
&jwtKeysEndpoint,
&jwtHeaderName,
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
// azure
&azureadID,
&azureadClientID,
&azureadClientSecret,
&azureadScopes,
&azureadTenant,
&azureadIsEmailVerified,
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
// github
&githubID,
&githubClientID,
&githubClientSecret,
&githubScopes,
// github enterprise
&githubEnterpriseID,
&githubEnterpriseClientID,
&githubEnterpriseClientSecret,
&githubEnterpriseAuthorizationEndpoint,
&githubEnterpriseTokenEndpoint,
&githubEnterpriseUserEndpoint,
&githubEnterpriseScopes,
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
// gitlab
&gitlabID,
&gitlabClientID,
&gitlabClientSecret,
&gitlabScopes,
// gitlab self hosted
&gitlabSelfHostedID,
&gitlabSelfHostedIssuer,
&gitlabSelfHostedClientID,
&gitlabSelfHostedClientSecret,
&gitlabSelfHostedScopes,
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
// google
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
&googleID,
&googleClientID,
&googleClientSecret,
&googleScopes,
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
// saml
&samlID,
&samlMetadata,
&samlKey,
&samlCertificate,
&samlBinding,
&samlWithSignedRequest,
feat(saml): allow setting nameid-format and alternative mapping for transient format (#7979) # Which Problems Are Solved ZITADEL currently always uses `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` in SAML requests, relying on the IdP to respect that flag and always return a peristent nameid in order to be able to map the external user with an existing user (idp link) in ZITADEL. In case the IdP however returns a `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` (transient) nameid, the attribute will differ between each request and it will not be possible to match existing users. # How the Problems Are Solved This PR adds the following two options on SAML IdP: - **nameIDFormat**: allows to set the nameid-format used in the SAML Request - **transientMappingAttributeName**: allows to set an attribute name, which will be used instead of the nameid itself in case the returned nameid-format is transient # Additional Changes To reduce impact on current installations, the `idp_templates6_saml` table is altered with the two added columns by a setup job. New installations will automatically get the table with the two columns directly. All idp unit tests are updated to use `expectEventstore` instead of the deprecated `eventstoreExpect`. # Additional Context Closes #7483 Closes #7743 --------- Co-authored-by: peintnermax <max@caos.ch> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-05-23 07:04:07 +02:00
&samlNameIDFormat,
&samlTransientMappingAttributeName,
feat: federated logout for SAML IdPs (#9931) # Which Problems Are Solved Currently if a user signs in using an IdP, once they sign out of Zitadel, the corresponding IdP session is not terminated. This can be the desired behavior. In some cases, e.g. when using a shared computer it results in a potential security risk, since a follower user might be able to sign in as the previous using the still open IdP session. # How the Problems Are Solved - Admins can enabled a federated logout option on SAML IdPs through the Admin and Management APIs. - During the termination of a login V1 session using OIDC end_session endpoint, Zitadel will check if an IdP was used to authenticate that session. - In case there was a SAML IdP used with Federated Logout enabled, it will intercept the logout process, store the information into the shared cache and redirect to the federated logout endpoint in the V1 login. - The V1 login federated logout endpoint checks every request on an existing cache entry. On success it will create a SAML logout request for the used IdP and either redirect or POST to the configured SLO endpoint. The cache entry is updated with a `redirected` state. - A SLO endpoint is added to the `/idp` handlers, which will handle the SAML logout responses. At the moment it will check again for an existing federated logout entry (with state `redirected`) in the cache. On success, the user is redirected to the initially provided `post_logout_redirect_uri` from the end_session request. # Additional Changes None # Additional Context - This PR merges the https://github.com/zitadel/zitadel/pull/9841 and https://github.com/zitadel/zitadel/pull/9854 to main, additionally updating the docs on Entra ID SAML. - closes #9228 - backport to 3.x --------- Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
2025-05-23 13:52:25 +02:00
&samlFederatedLogoutEnabled,
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
// ldap
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
&ldapID,
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
&ldapServers,
&ldapStartTls,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
&ldapBaseDN,
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
&ldapBindDN,
&ldapBindPassword,
&ldapUserBase,
&ldapUserObjectClasses,
&ldapUserFilters,
&ldapTimeout,
feat(ldap): adding root ca option to ldap config (#9292) # Which Problems Are Solved Adding ability to add a root CA to LDAP configs # Additional Context - Closes https://github.com/zitadel/zitadel/issues/7888 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-02-18 10:06:50 +00:00
&ldapRootCA,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
&ldapIDAttribute,
&ldapFirstNameAttribute,
&ldapLastNameAttribute,
&ldapDisplayNameAttribute,
&ldapNickNameAttribute,
&ldapPreferredUsernameAttribute,
&ldapEmailAttribute,
&ldapEmailVerifiedAttribute,
&ldapPhoneAttribute,
&ldapPhoneVerifiedAttribute,
&ldapPreferredLanguageAttribute,
&ldapAvatarURLAttribute,
&ldapProfileAttribute,
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
// apple
&appleID,
&appleClientID,
&appleTeamID,
&appleKeyID,
&applePrivateKey,
&appleScopes,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
&count,
)
if err != nil {
return nil, err
}
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
idpTemplate.Name = name.String
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
if oauthID.Valid {
idpTemplate.OAuthIDPTemplate = &OAuthIDPTemplate{
IDPID: oauthID.String,
ClientID: oauthClientID.String,
ClientSecret: oauthClientSecret,
AuthorizationEndpoint: oauthAuthorizationEndpoint.String,
TokenEndpoint: oauthTokenEndpoint.String,
UserEndpoint: oauthUserEndpoint.String,
Scopes: oauthScopes,
fix: use of generic oauth provider (#5345) Adds a id_attribute to the GenericOAuthProvider, which is used to map the external User. Further mapping can be done in actions by using the `rawInfo` of the new `ctx.v1.providerInfo` field.
2023-03-03 11:38:49 +01:00
IDAttribute: oauthIDAttribute.String,
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
UsePKCE: oauthUserPKCE.Bool,
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
}
}
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
if oidcID.Valid {
idpTemplate.OIDCIDPTemplate = &OIDCIDPTemplate{
fix: use idToken for mapping when using old configs (#5458) * fix: use idToken for mapping when using old configs * fix events and add tests
2023-03-16 16:47:22 +01:00
IDPID: oidcID.String,
ClientID: oidcClientID.String,
ClientSecret: oidcClientSecret,
Issuer: oidcIssuer.String,
Scopes: oidcScopes,
IsIDTokenMapping: oidcIDTokenMapping.Bool,
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373) # Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params: ![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169) # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:20:47 +01:00
UsePKCE: oidcUserPKCE.Bool,
feat(api): add oidc and jwt provider template (#5290) Adds possibility to manage OIDC and JWT template based providers
2023-02-27 16:32:18 +01:00
}
}
if jwtID.Valid {
idpTemplate.JWTIDPTemplate = &JWTIDPTemplate{
IDPID: jwtID.String,
Issuer: jwtIssuer.String,
KeysEndpoint: jwtKeysEndpoint.String,
HeaderName: jwtHeaderName.String,
Endpoint: jwtEndpoint.String,
}
}
feat: add azure provider templates (#5441) Adds possibility to manage and use Microsoft Azure template based providers
2023-03-15 07:48:37 +01:00
if azureadID.Valid {
idpTemplate.AzureADIDPTemplate = &AzureADIDPTemplate{
IDPID: azureadID.String,
ClientID: azureadClientID.String,
ClientSecret: azureadClientSecret,
Scopes: azureadScopes,
Tenant: azureadTenant.String,
IsEmailVerified: azureadIsEmailVerified.Bool,
}
}
feat: add github provider template (#5334) Adds possibility to manage and use GitHub (incl. Enterprise Server) template based providers
2023-03-08 11:17:28 +01:00
if githubID.Valid {
idpTemplate.GitHubIDPTemplate = &GitHubIDPTemplate{
IDPID: githubID.String,
ClientID: githubClientID.String,
ClientSecret: githubClientSecret,
Scopes: githubScopes,
}
}
if githubEnterpriseID.Valid {
idpTemplate.GitHubEnterpriseIDPTemplate = &GitHubEnterpriseIDPTemplate{
IDPID: githubEnterpriseID.String,
ClientID: githubEnterpriseClientID.String,
ClientSecret: githubEnterpriseClientSecret,
AuthorizationEndpoint: githubEnterpriseAuthorizationEndpoint.String,
TokenEndpoint: githubEnterpriseTokenEndpoint.String,
UserEndpoint: githubEnterpriseUserEndpoint.String,
Scopes: githubEnterpriseScopes,
}
}
feat: add gitlab provider templates (#5405) * feat(api): add google provider template * refactor reduce functions * handle removed event * linting * fix projection * feat(api): add generic oauth provider template * feat(api): add github provider templates * feat(api): add github provider templates * fixes * proto comment * fix filtering * requested changes * feat(api): add generic oauth provider template * remove wrongly committed message * increase budget for angular build * fix linting * fixes * fix merge * fix merge * fix projection * fix merge * updates from previous PRs * enable github providers in login * fix merge * fix test and add github styling in login * cleanup * feat(api): add gitlab provider templates * fix: merge * fix display of providers in login * implement gitlab in login and make prompt `select_account` optional since gitlab can't handle it * fix merge * fix merge and add tests for command side * requested changes * requested changes * Update internal/query/idp_template.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * fix merge * requested changes --------- Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-03-13 17:34:29 +01:00
if gitlabID.Valid {
idpTemplate.GitLabIDPTemplate = &GitLabIDPTemplate{
IDPID: gitlabID.String,
ClientID: gitlabClientID.String,
ClientSecret: gitlabClientSecret,
Scopes: gitlabScopes,
}
}
if gitlabSelfHostedID.Valid {
idpTemplate.GitLabSelfHostedIDPTemplate = &GitLabSelfHostedIDPTemplate{
IDPID: gitlabSelfHostedID.String,
Issuer: gitlabSelfHostedIssuer.String,
ClientID: gitlabSelfHostedClientID.String,
ClientSecret: gitlabSelfHostedClientSecret,
Scopes: gitlabSelfHostedScopes,
}
}
feat(api): add google provider template (#5247) add functionality to manage templates based Google IDP
2023-02-21 18:18:28 +01:00
if googleID.Valid {
idpTemplate.GoogleIDPTemplate = &GoogleIDPTemplate{
IDPID: googleID.String,
ClientID: googleClientID.String,
ClientSecret: googleClientSecret,
Scopes: googleScopes,
}
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
}
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
if samlID.Valid {
idpTemplate.SAMLIDPTemplate = &SAMLIDPTemplate{
feat(saml): allow setting nameid-format and alternative mapping for transient format (#7979) # Which Problems Are Solved ZITADEL currently always uses `urn:oasis:names:tc:SAML:2.0:nameid-format:persistent` in SAML requests, relying on the IdP to respect that flag and always return a peristent nameid in order to be able to map the external user with an existing user (idp link) in ZITADEL. In case the IdP however returns a `urn:oasis:names:tc:SAML:2.0:nameid-format:transient` (transient) nameid, the attribute will differ between each request and it will not be possible to match existing users. # How the Problems Are Solved This PR adds the following two options on SAML IdP: - **nameIDFormat**: allows to set the nameid-format used in the SAML Request - **transientMappingAttributeName**: allows to set an attribute name, which will be used instead of the nameid itself in case the returned nameid-format is transient # Additional Changes To reduce impact on current installations, the `idp_templates6_saml` table is altered with the two added columns by a setup job. New installations will automatically get the table with the two columns directly. All idp unit tests are updated to use `expectEventstore` instead of the deprecated `eventstoreExpect`. # Additional Context Closes #7483 Closes #7743 --------- Co-authored-by: peintnermax <max@caos.ch> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-05-23 07:04:07 +02:00
IDPID: samlID.String,
Metadata: samlMetadata,
Key: samlKey,
Certificate: samlCertificate,
Binding: samlBinding.String,
WithSignedRequest: samlWithSignedRequest.Bool,
NameIDFormat: samlNameIDFormat,
TransientMappingAttributeName: samlTransientMappingAttributeName.String,
feat: federated logout for SAML IdPs (#9931) # Which Problems Are Solved Currently if a user signs in using an IdP, once they sign out of Zitadel, the corresponding IdP session is not terminated. This can be the desired behavior. In some cases, e.g. when using a shared computer it results in a potential security risk, since a follower user might be able to sign in as the previous using the still open IdP session. # How the Problems Are Solved - Admins can enabled a federated logout option on SAML IdPs through the Admin and Management APIs. - During the termination of a login V1 session using OIDC end_session endpoint, Zitadel will check if an IdP was used to authenticate that session. - In case there was a SAML IdP used with Federated Logout enabled, it will intercept the logout process, store the information into the shared cache and redirect to the federated logout endpoint in the V1 login. - The V1 login federated logout endpoint checks every request on an existing cache entry. On success it will create a SAML logout request for the used IdP and either redirect or POST to the configured SLO endpoint. The cache entry is updated with a `redirected` state. - A SLO endpoint is added to the `/idp` handlers, which will handle the SAML logout responses. At the moment it will check again for an existing federated logout entry (with state `redirected`) in the cache. On success, the user is redirected to the initially provided `post_logout_redirect_uri` from the end_session request. # Additional Changes None # Additional Context - This PR merges the https://github.com/zitadel/zitadel/pull/9841 and https://github.com/zitadel/zitadel/pull/9854 to main, additionally updating the docs on Entra ID SAML. - closes #9228 - backport to 3.x --------- Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com> Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
2025-05-23 13:52:25 +02:00
FederatedLogoutEnabled: samlFederatedLogoutEnabled.Bool,
feat: add SAML as identity provider (#6454) * feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
}
}
feat(api): add generic oauth provider template (#5260) adds functionality to manage templates based OIDC IDPs
2023-02-24 15:16:06 +01:00
if ldapID.Valid {
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
idpTemplate.LDAPIDPTemplate = &LDAPIDPTemplate{
feat: ldap provider login (#5448) Add the logic to configure and use LDAP provider as an external IDP with a dedicated login GUI.
2023-03-24 16:18:56 +01:00
IDPID: ldapID.String,
Servers: ldapServers,
StartTLS: ldapStartTls.Bool,
BaseDN: ldapBaseDN.String,
BindDN: ldapBindDN.String,
BindPassword: ldapBindPassword,
UserBase: ldapUserBase.String,
UserObjectClasses: ldapUserObjectClasses,
UserFilters: ldapUserFilters,
Timeout: time.Duration(ldapTimeout.Int64),
feat(ldap): adding root ca option to ldap config (#9292) # Which Problems Are Solved Adding ability to add a root CA to LDAP configs # Additional Context - Closes https://github.com/zitadel/zitadel/issues/7888 --------- Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-02-18 10:06:50 +00:00
RootCA: ldapRootCA,
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
LDAPAttributes: idp.LDAPAttributes{
IDAttribute: ldapIDAttribute.String,
FirstNameAttribute: ldapFirstNameAttribute.String,
LastNameAttribute: ldapLastNameAttribute.String,
DisplayNameAttribute: ldapDisplayNameAttribute.String,
NickNameAttribute: ldapNickNameAttribute.String,
PreferredUsernameAttribute: ldapPreferredUsernameAttribute.String,
EmailAttribute: ldapEmailAttribute.String,
EmailVerifiedAttribute: ldapEmailVerifiedAttribute.String,
PhoneAttribute: ldapPhoneAttribute.String,
PhoneVerifiedAttribute: ldapPhoneVerifiedAttribute.String,
PreferredLanguageAttribute: ldapPreferredLanguageAttribute.String,
AvatarURLAttribute: ldapAvatarURLAttribute.String,
ProfileAttribute: ldapProfileAttribute.String,
},
}
}
feat: add apple as idp (#6442) * feat: manage apple idp * handle apple idp callback * add tests for provider * basic console implementation * implement flow for login UI and add logos / styling * tests * cleanup * add upload button * begin i18n * apple logo positioning, file upload component * fix add apple instance idp * add missing apple logos for login * update to go 1.21 * fix slice compare * revert permission changes * concrete error messages * translate login apple logo -y-2px * change form parsing * sign in button * fix tests * lint console --------- Co-authored-by: peintnermax <max@caos.ch>
2023-08-31 08:39:16 +02:00
if appleID.Valid {
idpTemplate.AppleIDPTemplate = &AppleIDPTemplate{
IDPID: appleID.String,
ClientID: appleClientID.String,
TeamID: appleTeamID.String,
KeyID: appleKeyID.String,
PrivateKey: applePrivateKey,
Scopes: appleScopes,
}
}
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
templates = append(templates, idpTemplate)
}
if err := rows.Close(); err != nil {
refactor: rename package errors to zerrors (#7039) * chore: rename package errors to zerrors * rename package errors to gerrors * fix error related linting issues * fix zitadel error assertion * fix gosimple linting issues * fix deprecated linting issues * resolve gci linting issues * fix import structure --------- Co-authored-by: Elio Bischof <elio@zitadel.com>
2023-12-08 16:30:55 +02:00
return nil, zerrors.ThrowInternal(err, "QUERY-SAGrt", "Errors.Query.CloseRows")
feat: add management for ldap idp template (#5220) Add management functionality for LDAP idps with templates and the basic functionality for the LDAP provider, which can then be used with a separate login page in the future. --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-02-15 09:14:59 +01:00
}
return &IDPTemplates{
Templates: templates,
SearchResponse: SearchResponse{
Count: count,
},
}, nil
}
}
Reference in New Issue Copy Permalink