TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 18:17:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add SAML as identity provider (#6454)

Browse Source 
* feat: first implementation for saml sp

* fix: add command side instance and org for saml provider

* fix: add query side instance and org for saml provider

* fix: request handling in event and retrieval of finished intent

* fix: add review changes and integration tests

* fix: add integration tests for saml idp

* fix: correct unit tests with review changes

* fix: add saml session unit test

* fix: add saml session unit test

* fix: add saml session unit test

* fix: changes from review

* fix: changes from review

* fix: proto build error

* fix: proto build error

* fix: proto build error

* fix: proto require metadata oneof

* fix: login with saml provider

* fix: integration test for saml assertion

* lint client.go

* fix json tag

* fix: linting

* fix import

* fix: linting

* fix saml idp query

* fix: linting

* lint: try all issues

* revert linting config

* fix: add regenerate endpoints

* fix: translations

* fix mk.yaml

* ignore acs path for user agent cookie

* fix: add AuthFromProvider test for saml

* fix: integration test for saml retrieve information

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Stefan Benz
2023-09-29 11:26:14 +02:00
committed by GitHub
parent 2e99d0fe1b
commit 15fd3045e0
82 changed files with 6301 additions and 245 deletions
Download Patch File Download Diff File Expand all files Collapse all files

386
proto/zitadel/admin.proto
View File

@@ -26,7 +26,7 @@ import "validate/validate.proto";
package zitadel.admin.v1;
option go_package ="github.com/zitadel/zitadel/pkg/grpc/admin";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/admin";
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
@@ -85,7 +85,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
name: "Message Texts"
},
{
name: "Notification Providers"
name: "Notification Providers"
},
{
name: "Notification Settings"
@@ -167,13 +167,13 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
security: {
security_requirement: {
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
}
responses: {
key: "403";
value: {
@@ -1684,6 +1684,60 @@ service AdminService {
};
}
// Add a new SAML identity provider on the instance
rpc AddSAMLProvider(AddSAMLProviderRequest) returns (AddSAMLProviderResponse) {
option (google.api.http) = {
post: "/idps/saml"
body: "*"
};
option (zitadel.v1.auth_option) = {
permission: "iam.idp.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Identity Providers";
summary: "Add SAML Identity Provider";
description: "";
};
}
// Change an existing SAML identity provider on the instance
rpc UpdateSAMLProvider(UpdateSAMLProviderRequest) returns (UpdateSAMLProviderResponse) {
option (google.api.http) = {
put: "/idps/saml/{id}"
body: "*"
};
option (zitadel.v1.auth_option) = {
permission: "iam.idp.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Identity Providers";
summary: "Update SAML Identity Provider";
description: "";
};
}
// Regenerate certificate for an existing SAML identity provider in the organization
rpc RegenerateSAMLProviderCertificate(RegenerateSAMLProviderCertificateRequest) returns (RegenerateSAMLProviderCertificateResponse) {
option (google.api.http) = {
post: "/idps/saml/{id}/_generate_certificate"
body: "*"
};
option (zitadel.v1.auth_option) = {
permission: "iam.idp.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Identity Providers";
summary: "Regenerate SAML Identity Provider Certificate";
description: "";
};
}
// Remove an identity provider
// Will remove all linked providers of this configuration on the users
rpc DeleteProvider(DeleteProviderRequest) returns (DeleteProviderResponse) {
@@ -1692,7 +1746,7 @@ service AdminService {
};
option (zitadel.v1.auth_option) = {
permission: "org.idp.write"
permission: "iam.idp.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -1702,7 +1756,7 @@ service AdminService {
};
}
rpc GetOrgIAMPolicy(GetOrgIAMPolicyRequest) returns (GetOrgIAMPolicyResponse) {
rpc GetOrgIAMPolicy(GetOrgIAMPolicyRequest) returns (GetOrgIAMPolicyResponse) {
option (google.api.http) = {
get: "/policies/orgiam";
};
@@ -2004,7 +2058,7 @@ service AdminService {
};
}
rpc UpdateLabelPolicy(UpdateLabelPolicyRequest) returns (UpdateLabelPolicyResponse) {
rpc UpdateLabelPolicy(UpdateLabelPolicyRequest) returns (UpdateLabelPolicyResponse) {
option (google.api.http) = {
put: "/policies/label";
body: "*";
@@ -4106,10 +4160,10 @@ message GetOIDCSettingsResponse {
}
message AddOIDCSettingsRequest {
google.protobuf.Duration access_token_lifetime = 1;
google.protobuf.Duration id_token_lifetime = 2;
google.protobuf.Duration refresh_token_idle_expiration = 3;
google.protobuf.Duration refresh_token_expiration = 4;
google.protobuf.Duration access_token_lifetime = 1;
google.protobuf.Duration id_token_lifetime = 2;
google.protobuf.Duration refresh_token_idle_expiration = 3;
google.protobuf.Duration refresh_token_expiration = 4;
}
message AddOIDCSettingsResponse {
@@ -4117,10 +4171,10 @@ message AddOIDCSettingsResponse {
}
message UpdateOIDCSettingsRequest {
google.protobuf.Duration access_token_lifetime = 1;
google.protobuf.Duration id_token_lifetime = 2;
google.protobuf.Duration refresh_token_idle_expiration = 3;
google.protobuf.Duration refresh_token_expiration = 4;
google.protobuf.Duration access_token_lifetime = 1;
google.protobuf.Duration id_token_lifetime = 2;
google.protobuf.Duration refresh_token_idle_expiration = 3;
google.protobuf.Duration refresh_token_expiration = 4;
}
message UpdateOIDCSettingsResponse {
@@ -4136,9 +4190,9 @@ message GetSecurityPolicyResponse{
message SetSecurityPolicyRequest{
// states if iframe embedding is enabled or disabled
bool enable_iframe_embedding = 1;
// origins allowed loading ZITADEL in an iframe if enable_iframe_embedding is true
repeated string allowed_origins = 2;
bool enable_iframe_embedding = 1;
// origins allowed loading ZITADEL in an iframe if enable_iframe_embedding is true
repeated string allowed_origins = 2;
}
message SetSecurityPolicyResponse{
@@ -4149,11 +4203,11 @@ message SetSecurityPolicyResponse{
// at least one argument has to be provided
message IsOrgUniqueRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
description: "All unique fields of an organization";
required: ["name", "domain"]
};
};
json_schema: {
description: "All unique fields of an organization";
required: ["name", "domain"]
};
};
string name = 1 [
(validate.rules).string = {max_len: 200},
@@ -4192,11 +4246,11 @@ message GetOrgByIDResponse {
message ListOrgsRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
description: "Search query for lists";
required: ["query"]
};
};
json_schema: {
description: "Search query for lists";
required: ["query"]
};
};
//list limitations and ordering
zitadel.v1.ListQuery query = 1;
@@ -4214,18 +4268,18 @@ message ListOrgsResponse {
message SetUpOrgRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
description: "Request to set up an organization. User is required";
required: ["org", "user"]
};
};
json_schema: {
description: "Request to set up an organization. User is required";
required: ["org", "user"]
};
};
message Org {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["name"]
};
};
};
string name = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -4249,7 +4303,7 @@ message SetUpOrgRequest {
json_schema: {
required: ["user_name", "profile", "email", "password"];
};
};
};
message Profile {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
@@ -4583,11 +4637,11 @@ message AddJWTIDPResponse {
message UpdateIDPRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
description: "Updates fields of an IDP";
required: ["idp_id", "name"]
};
};
json_schema: {
description: "Updates fields of an IDP";
required: ["idp_id", "name"]
};
};
string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
string name = 2 [
@@ -4613,10 +4667,10 @@ message UpdateIDPResponse {
message DeactivateIDPRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["idp_id"]
};
};
json_schema: {
required: ["idp_id"]
};
};
string idp_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -4633,10 +4687,10 @@ message DeactivateIDPResponse {
message ReactivateIDPRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["idp_id"]
};
};
json_schema: {
required: ["idp_id"]
};
};
string idp_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -4653,10 +4707,10 @@ message ReactivateIDPResponse {
message RemoveIDPRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["idp_id"]
};
};
json_schema: {
required: ["idp_id"]
};
};
string idp_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
@@ -4674,10 +4728,10 @@ message RemoveIDPResponse {
message UpdateIDPOIDCConfigRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["idp_id", "issuer", "client_id"]
};
};
json_schema: {
required: ["idp_id", "issuer", "client_id"]
};
};
string idp_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
@@ -5741,6 +5795,86 @@ message UpdateAppleProviderResponse {
zitadel.v1.ObjectDetails details = 1;
}
message AddSAMLProviderRequest {
string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
oneof metadata {
option (validate.required) = true;
bytes metadata_xml = 2 [
(validate.rules).bytes.max_len = 500000,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Metadata of the SAML identity provider";
}
];
string metadata_url = 3 [
(validate.rules).string.max_len = 200,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://test.com/saml/metadata\""
description: "Url to the metadata of the SAML identity provider";
}
];
}
zitadel.idp.v1.SAMLBinding binding = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Binding which defines the type of communication with the identity provider";
}
];
bool with_signed_request = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Boolean which defines if the authentication requests are signed";
}
];
zitadel.idp.v1.Options provider_options = 6;
}
message AddSAMLProviderResponse {
zitadel.v1.ObjectDetails details = 1;
string id = 2;
}
message UpdateSAMLProviderRequest {
string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
oneof metadata {
option (validate.required) = true;
bytes metadata_xml = 3 [
(validate.rules).bytes.max_len = 500000,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Metadata of the SAML identity provider";
}
];
string metadata_url = 4 [
(validate.rules).string.max_len = 200,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://test.com/saml/metadata\""
description: "Url to the metadata of the SAML identity provider";
}
];
}
zitadel.idp.v1.SAMLBinding binding = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Binding which defines the type of communication with the identity provider";
}
];
bool with_signed_request = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Boolean which defines if the authentication requests are signed";
}
];
zitadel.idp.v1.Options provider_options = 7;
}
message UpdateSAMLProviderResponse {
zitadel.v1.ObjectDetails details = 1;
}
message RegenerateSAMLProviderCertificateRequest {
string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
}
message RegenerateSAMLProviderCertificateResponse {
zitadel.v1.ObjectDetails details = 1;
}
message DeleteProviderRequest {
string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
}
@@ -5876,10 +6010,10 @@ message UpdateDomainPolicyResponse {
message GetCustomDomainPolicyRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["org_id"]
};
};
json_schema: {
required: ["org_id"]
};
};
string org_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -5898,10 +6032,10 @@ message GetCustomDomainPolicyResponse {
message AddCustomDomainPolicyRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["org_id"]
};
};
json_schema: {
required: ["org_id"]
};
};
string org_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
@@ -5934,10 +6068,10 @@ message AddCustomDomainPolicyResponse {
message UpdateCustomDomainPolicyRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["org_id"]
};
};
json_schema: {
required: ["org_id"]
};
};
string org_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
@@ -5970,10 +6104,10 @@ message UpdateCustomDomainPolicyResponse {
message ResetCustomDomainPolicyToDefaultRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["org_id"]
};
};
json_schema: {
required: ["org_id"]
};
};
string org_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
@@ -6050,7 +6184,7 @@ message UpdateLabelPolicyRequest {
}
];
string background_color_dark = 8 [
(validate.rules).string = { max_len: 50},
(validate.rules).string = {max_len: 50},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "hex value for background color dark theme";
example: "\"#111827\"";
@@ -6058,7 +6192,7 @@ message UpdateLabelPolicyRequest {
}
];
string warn_color_dark = 9 [
(validate.rules).string = { max_len: 50},
(validate.rules).string = {max_len: 50},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "hex value for warning color dark theme";
example: "\"#FF3B5B\"";
@@ -6066,7 +6200,7 @@ message UpdateLabelPolicyRequest {
}
];
string font_color_dark = 10 [
(validate.rules).string = { max_len: 50},
(validate.rules).string = {max_len: 50},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "hex value for font color dark theme";
example: "\"#FFFFFF\"";
@@ -6214,10 +6348,10 @@ message ListLoginPolicyIDPsResponse {
message AddIDPToLoginPolicyRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["org_id"]
};
};
json_schema: {
required: ["org_id"]
};
};
string idp_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
@@ -6237,10 +6371,10 @@ message AddIDPToLoginPolicyResponse {
message RemoveIDPFromLoginPolicyRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["idp_id"]
};
};
json_schema: {
required: ["idp_id"]
};
};
string idp_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
@@ -6266,10 +6400,10 @@ message ListLoginPolicySecondFactorsResponse {
message AddSecondFactorToLoginPolicyRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["type"]
};
};
json_schema: {
required: ["type"]
};
};
zitadel.policy.v1.SecondFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
}
@@ -6280,10 +6414,10 @@ message AddSecondFactorToLoginPolicyResponse {
message RemoveSecondFactorFromLoginPolicyRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["type"]
};
};
json_schema: {
required: ["type"]
};
};
zitadel.policy.v1.SecondFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
}
@@ -6302,10 +6436,10 @@ message ListLoginPolicyMultiFactorsResponse {
message AddMultiFactorToLoginPolicyRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["type"]
};
};
json_schema: {
required: ["type"]
};
};
zitadel.policy.v1.MultiFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
}
@@ -6316,10 +6450,10 @@ message AddMultiFactorToLoginPolicyResponse {
message RemoveMultiFactorFromLoginPolicyRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["type"]
};
};
json_schema: {
required: ["type"]
};
};
zitadel.policy.v1.MultiFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
}
@@ -6469,11 +6603,11 @@ message GetNotificationPolicyResponse {
}
message UpdateNotificationPolicyRequest {
bool password_change = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "If set to true the users will get a notification whenever their password has been changed.";
}
];
bool password_change = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "If set to true the users will get a notification whenever their password has been changed.";
}
];
}
message UpdateNotificationPolicyResponse {
@@ -7261,10 +7395,10 @@ message ResetCustomLoginTextsToDefaultResponse {
message AddIAMMemberRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["user_id"]
};
};
json_schema: {
required: ["user_id"]
};
};
string user_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
@@ -7288,10 +7422,10 @@ message AddIAMMemberResponse {
message UpdateIAMMemberRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["user_id"]
};
};
json_schema: {
required: ["user_id"]
};
};
string user_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
@@ -7315,10 +7449,10 @@ message UpdateIAMMemberResponse {
message RemoveIAMMemberRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["user_id"]
};
};
json_schema: {
required: ["user_id"]
};
};
string user_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
@@ -7376,10 +7510,10 @@ message ListFailedEventsResponse {
message RemoveFailedEventRequest {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
required: ["database", "view_name", "failed_sequence"]
};
};
json_schema: {
required: ["database", "view_name", "failed_sequence"]
};
};
string database = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
@@ -7476,7 +7610,7 @@ message ImportDataRequest {
message S3Input{
string path = 1;
string endpoint = 2;
string access_key_id =3;
string access_key_id = 3;
string secret_access_key = 4;
bool ssl = 5;
string bucket = 6;
@@ -7635,7 +7769,7 @@ message ExportDataRequest {
message S3Output{
string path = 1;
string endpoint = 2;
string access_key_id =3;
string access_key_id = 3;
string secret_access_key = 4;
bool ssl = 5;
string bucket = 6;

28
proto/zitadel/idp.proto
View File

@@ -117,7 +117,6 @@ enum IDPStylingType {
enum IDPType {
IDP_TYPE_UNSPECIFIED = 0;
IDP_TYPE_OIDC = 1;
//PLANNED: IDP_TYPE_SAML
IDP_TYPE_JWT = 3;
}
@@ -267,6 +266,14 @@ enum ProviderType {
PROVIDER_TYPE_GITLAB_SELF_HOSTED = 9;
PROVIDER_TYPE_GOOGLE = 10;
PROVIDER_TYPE_APPLE = 11;
PROVIDER_TYPE_SAML = 12;
}
enum SAMLBinding {
SAML_BINDING_UNSPECIFIED = 0;
SAML_BINDING_POST = 1;
SAML_BINDING_REDIRECT = 2;
SAML_BINDING_ARTIFACT = 3;
}
message ProviderConfig {
@@ -283,6 +290,7 @@ message ProviderConfig {
GitLabSelfHostedConfig gitlab_self_hosted = 10;
AzureADConfig azure_ad = 11;
AppleConfig apple = 12;
SAMLConfig saml = 13;
}
}
@@ -443,6 +451,24 @@ message LDAPConfig {
LDAPAttributes attributes = 9;
}
message SAMLConfig {
bytes metadata_xml = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Metadata of the SAML identity provider";
}
];
zitadel.idp.v1.SAMLBinding binding = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Binding which defines the type of communication with the identity provider";
}
];
bool with_signed_request = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Boolean which defines if the authentication requests are signed";
}
];
}
message AzureADConfig {
string client_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {

134
proto/zitadel/management.proto
View File

@@ -7094,6 +7094,60 @@ service ManagementService {
};
}
// Add a new SAML identity provider in the organization
rpc AddSAMLProvider(AddSAMLProviderRequest) returns (AddSAMLProviderResponse) {
option (google.api.http) = {
post: "/idps/saml"
body: "*"
};
option (zitadel.v1.auth_option) = {
permission: "org.idp.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Identity Providers";
summary: "Add SAML Identity Provider";
description: "";
};
}
// Change an existing SAML identity provider in the organization
rpc UpdateSAMLProvider(UpdateSAMLProviderRequest) returns (UpdateSAMLProviderResponse) {
option (google.api.http) = {
put: "/idps/saml/{id}"
body: "*"
};
option (zitadel.v1.auth_option) = {
permission: "org.idp.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Identity Providers";
summary: "Update SAML Identity Provider";
description: "";
};
}
// Regenerate certificate for an existing SAML identity provider in the organization
rpc RegenerateSAMLProviderCertificate(RegenerateSAMLProviderCertificateRequest) returns (RegenerateSAMLProviderCertificateResponse) {
option (google.api.http) = {
post: "/idps/saml/{id}/_generate_certificate"
body: "*"
};
option (zitadel.v1.auth_option) = {
permission: "org.idp.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Identity Providers";
summary: "Regenerate SAML Identity Provider Certificate";
description: "";
};
}
// Remove an identity provider
// Will remove all linked providers of this configuration on the users
rpc DeleteProvider(DeleteProviderRequest) returns (DeleteProviderResponse) {
@@ -12485,6 +12539,86 @@ message UpdateLDAPProviderResponse {
zitadel.v1.ObjectDetails details = 1;
}
message AddSAMLProviderRequest {
string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
oneof metadata {
option (validate.required) = true;
bytes metadata_xml = 2 [
(validate.rules).bytes.max_len = 500000,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Metadata of the SAML identity provider";
}
];
string metadata_url = 3 [
(validate.rules).string.max_len = 200,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://test.com/saml/metadata\""
description: "Url to the metadata of the SAML identity provider";
}
];
}
zitadel.idp.v1.SAMLBinding binding = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Binding which defines the type of communication with the identity provider";
}
];
bool with_signed_request = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Boolean which defines if the authentication requests are signed";
}
];
zitadel.idp.v1.Options provider_options = 6;
}
message AddSAMLProviderResponse {
zitadel.v1.ObjectDetails details = 1;
string id = 2;
}
message UpdateSAMLProviderRequest {
string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
oneof metadata {
option (validate.required) = true;
bytes metadata_xml = 3 [
(validate.rules).bytes.max_len = 500000,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Metadata of the SAML identity provider";
}
];
string metadata_url = 4 [
(validate.rules).string.max_len = 200,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://test.com/saml/metadata\""
description: "Url to the metadata of the SAML identity provider";
}
];
}
zitadel.idp.v1.SAMLBinding binding = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Binding which defines the type of communication with the identity provider";
}
];
bool with_signed_request = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Boolean which defines if the authentication requests are signed";
}
];
zitadel.idp.v1.Options provider_options = 7;
}
message UpdateSAMLProviderResponse {
zitadel.v1.ObjectDetails details = 1;
}
message RegenerateSAMLProviderCertificateRequest {
string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
}
message RegenerateSAMLProviderCertificateResponse {
zitadel.v1.ObjectDetails details = 1;
}
message AddAppleProviderRequest {
// Apple will be used as default, if no name is provided
string name = 1 [

9
proto/zitadel/user/v2beta/idp.proto
View File

@@ -89,6 +89,11 @@ message IDPInformation{
description: "LDAP entity attributes returned by the identity provider"
}
];
IDPSAMLAccessInformation saml = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "SAMLResponse returned by the identity provider"
}
];
}
string idp_id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -124,6 +129,10 @@ message IDPLDAPAccessInformation{
google.protobuf.Struct attributes = 1;
}
message IDPSAMLAccessInformation{
bytes assertion = 1;
}
message IDPLink {
string idp_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},

5
proto/zitadel/user/v2beta/user_service.proto
View File

@@ -1132,6 +1132,11 @@ message StartIdentityProviderIntentResponse{
description: "IDP Intent information"
}
];
bytes post_form = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "POST call information"
}
];
}
}