feat: add SAML as identity provider (#6454)

* feat: first implementation for saml sp * fix: add command side instance and org for saml provider * fix: add query side instance and org for saml provider * fix: request handling in event and retrieval of finished intent * fix: add review changes and integration tests * fix: add integration tests for saml idp * fix: correct unit tests with review changes * fix: add saml session unit test * fix: add saml session unit test * fix: add saml session unit test * fix: changes from review * fix: changes from review * fix: proto build error * fix: proto build error * fix: proto build error * fix: proto require metadata oneof * fix: login with saml provider * fix: integration test for saml assertion * lint client.go * fix json tag * fix: linting * fix import * fix: linting * fix saml idp query * fix: linting * lint: try all issues * revert linting config * fix: add regenerate endpoints * fix: translations * fix mk.yaml * ignore acs path for user agent cookie * fix: add AuthFromProvider test for saml * fix: integration test for saml retrieve information --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 19:07:30 +00:00 · 2023-09-29 11:26:14 +02:00
parent 2e99d0fe1b
commit 15fd3045e0
82 changed files with 6301 additions and 245 deletions
--- a/internal/command/command.go
+++ b/internal/command/command.go
@@ -2,7 +2,13 @@ package command

 import (
 	"context"
+	"crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
 	"net/http"
+	"strconv"
 	"time"

 	"github.com/zitadel/zitadel/internal/api/authz"
@@ -74,6 +80,8 @@ type Commands struct {
 	publicKeyLifetime       time.Duration
 	certificateLifetime     time.Duration
 	defaultSecretGenerators *SecretGenerators
+
+	samlCertificateAndKeyGenerator func(id string) ([]byte, []byte, error)
 }

 func StartCommands(
@@ -131,6 +139,7 @@ func StartCommands(
 		defaultRefreshTokenLifetime:     defaultRefreshTokenLifetime,
 		defaultRefreshTokenIdleLifetime: defaultRefreshTokenIdleLifetime,
 		defaultSecretGenerators:         defaultSecretGenerators,
+		samlCertificateAndKeyGenerator:  samlCertificateAndKeyGenerator(defaults.KeyConfig.Size),
 	}

 	instance_repo.RegisterEventMappers(repo.eventstore)
@@ -211,3 +220,36 @@ func exists(ctx context.Context, filter preparation.FilterToQueryReducer, wm exi
 	}
 	return wm.Exists(), nil
 }
+
+func samlCertificateAndKeyGenerator(keySize int) func(id string) ([]byte, []byte, error) {
+	return func(id string) ([]byte, []byte, error) {
+		priv, pub, err := crypto.GenerateKeyPair(keySize)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		serial, err := strconv.Atoi(id)
+		if err != nil {
+			return nil, nil, err
+		}
+		template := x509.Certificate{
+			SerialNumber: big.NewInt(int64(serial)),
+			Subject: pkix.Name{
+				Organization: []string{"ZITADEL"},
+				SerialNumber: id,
+			},
+			KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+			ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+			BasicConstraintsValid: true,
+		}
+
+		derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
+		if err != nil {
+			return nil, nil, errors.ThrowInternalf(err, "COMMAND-x92u101j", "failed to create certificate")
+		}
+
+		keyBlock := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)}
+		certBlock := &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}
+		return pem.EncodeToMemory(keyBlock), pem.EncodeToMemory(certBlock), nil
+	}
+}