feat(saml): implementation of saml for ZITADEL v2 (#3618)

2025-08-12 01:37:31 +00:00 · 2022-09-12 17:18:08 +01:00
parent 01a92ba5d9
commit 7a5f7f82cf
134 changed files with 5570 additions and 1293 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -200,6 +200,25 @@ OIDC:
    Keys:
      Path: /oauth/v2/keys

+SAML:
+  ProviderConfig:
+    MetadataConfig:
+      Path: "/metadata"
+      SignatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+    IDPConfig:
+      SignatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
+      WantAuthRequestsSigned: true
+      Endpoints:
+    #Organisation:
+    #  Name: ZITADEL
+    #  URL: https://zitadel.com
+    #ContactPerson:
+    #  ContactType: "technical"
+    #  Company: ZITADEL
+    #  EmailAddress: hi@zitadel.com
+
+
+
 Login:
  LanguageCookieName: zitadel.login.lang
  CSRFCookieName: zitadel.login.csrf
@@ -234,6 +253,9 @@ EncryptionKeys:
  OIDC:
    EncryptionKeyID: "oidcKey"
    DecryptionKeyIDs:
+  SAML:
+    EncryptionKeyID: "samlKey"
+    DecryptionKeyIDs:
  OTP:
    EncryptionKeyID: "otpKey"
    DecryptionKeyIDs:
@@ -277,8 +299,10 @@ SystemDefaults:
    FileSystemPath: ".notifications/"
  KeyConfig:
    Size: 2048
+    CertificateSize: 4096
    PrivateKeyLifetime: 6h
    PublicKeyLifetime: 30h
+    CertificateLifetime: 8766h

 DefaultInstance:
  InstanceName:
--- a/cmd/setup/03.go
+++ b/cmd/setup/03.go
@@ -70,7 +70,10 @@ func (mig *FirstInstance) Execute(ctx context.Context) error {
 		nil,
 		userAlg,
 		nil,
-		nil)
+		nil,
+		nil,
+		nil,
+	)

 	if err != nil {
 		return err
--- a/cmd/setup/config_change.go
+++ b/cmd/setup/config_change.go
@@ -47,7 +47,10 @@ func (mig *externalConfigChange) Execute(ctx context.Context) error {
 		nil,
 		nil,
 		nil,
-		nil)
+		nil,
+		nil,
+		nil,
+	)

 	if err != nil {
 		return err
--- a/cmd/start/config.go
+++ b/cmd/start/config.go
@@ -6,6 +6,7 @@ import (
 	"github.com/mitchellh/mapstructure"
 	"github.com/spf13/viper"
 	"github.com/zitadel/logging"
+	"github.com/zitadel/zitadel/internal/api/saml"

 	admin_es "github.com/zitadel/zitadel/internal/admin/repository/eventsourcing"
 	internal_authz "github.com/zitadel/zitadel/internal/api/authz"
@@ -45,6 +46,7 @@ type Config struct {
 	Admin             admin_es.Config
 	UserAgentCookie   *middleware.UserAgentCookieConfig
 	OIDC              oidc.Config
+	SAML              saml.Config
 	Login             login.Config
 	Console           console.Config
 	AssetStorage      static_config.AssetStorageConfig
@@ -90,6 +92,7 @@ type encryptionKeyConfig struct {
 	DomainVerification   *crypto.KeyConfig
 	IDPConfig            *crypto.KeyConfig
 	OIDC                 *crypto.KeyConfig
+	SAML                 *crypto.KeyConfig
 	OTP                  *crypto.KeyConfig
 	SMS                  *crypto.KeyConfig
 	SMTP                 *crypto.KeyConfig
--- a/cmd/start/encryption_keys.go
+++ b/cmd/start/encryption_keys.go
@@ -10,6 +10,7 @@ var (
 		"domainVerificationKey",
 		"idpConfigKey",
 		"oidcKey",
+		"samlKey",
 		"otpKey",
 		"smsKey",
 		"smtpKey",
@@ -23,6 +24,7 @@ type encryptionKeys struct {
 	DomainVerification crypto.EncryptionAlgorithm
 	IDPConfig          crypto.EncryptionAlgorithm
 	OIDC               crypto.EncryptionAlgorithm
+	SAML               crypto.EncryptionAlgorithm
 	OTP                crypto.EncryptionAlgorithm
 	SMS                crypto.EncryptionAlgorithm
 	SMTP               crypto.EncryptionAlgorithm
@@ -49,6 +51,10 @@ func ensureEncryptionKeys(keyConfig *encryptionKeyConfig, keyStorage crypto.KeyS
 	if err != nil {
 		return nil, err
 	}
+	keys.SAML, err = crypto.NewAESCrypto(keyConfig.SAML, keyStorage)
+	if err != nil {
+		return nil, err
+	}
 	key, err := crypto.LoadKey(keyConfig.OIDC.EncryptionKeyID, keyStorage)
 	if err != nil {
 		return nil, err
--- a/cmd/start/start.go
+++ b/cmd/start/start.go
@@ -13,6 +13,10 @@ import (
 	"syscall"
 	"time"

+	"github.com/zitadel/saml/pkg/provider"
+
+	"github.com/zitadel/zitadel/internal/api/saml"
+
 	"github.com/gorilla/mux"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -100,7 +104,7 @@ func startZitadel(config *Config, masterKey string) error {
 		return fmt.Errorf("cannot start eventstore for queries: %w", err)
 	}

-	queries, err := query.StartQueries(ctx, eventstoreClient, dbClient, config.Projections, config.SystemDefaults, keys.IDPConfig, keys.OTP, keys.OIDC, config.InternalAuthZ.RolePermissionMappings)
+	queries, err := query.StartQueries(ctx, eventstoreClient, dbClient, config.Projections, config.SystemDefaults, keys.IDPConfig, keys.OTP, keys.OIDC, keys.SAML, config.InternalAuthZ.RolePermissionMappings)
 	if err != nil {
 		return fmt.Errorf("cannot start queries: %w", err)
 	}
@@ -134,6 +138,8 @@ func startZitadel(config *Config, masterKey string) error {
 		keys.User,
 		keys.DomainVerification,
 		keys.OIDC,
+		keys.SAML,
+		&http.Client{},
 	)
 	if err != nil {
 		return fmt.Errorf("cannot start commands: %w", err)
@@ -208,13 +214,19 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 		return fmt.Errorf("unable to start oidc provider: %w", err)
 	}

+	samlProvider, err := saml.NewProvider(ctx, config.SAML, config.ExternalSecure, commands, queries, authRepo, keys.OIDC, keys.SAML, eventstore, dbClient, instanceInterceptor.Handler, userAgentInterceptor)
+	if err != nil {
+		return fmt.Errorf("unable to start saml provider: %w", err)
+	}
+	apis.RegisterHandler(saml.HandlerPrefix, samlProvider.HttpHandler())
+
 	c, err := console.Start(config.Console, config.ExternalSecure, oidcProvider.IssuerFromRequest, instanceInterceptor.Handler, config.CustomerPortal)
 	if err != nil {
 		return fmt.Errorf("unable to start console: %w", err)
 	}
 	apis.RegisterHandler(console.HandlerPrefix, c)

-	l, err := login.CreateLogin(config.Login, commands, queries, authRepo, store, console.HandlerPrefix+"/", op.AuthCallbackURL(oidcProvider), config.ExternalSecure, userAgentInterceptor, op.NewIssuerInterceptor(oidcProvider.IssuerFromRequest).Handler, instanceInterceptor.Handler, assetsCache.Handler, keys.User, keys.IDPConfig, keys.CSRFCookieKey)
+	l, err := login.CreateLogin(config.Login, commands, queries, authRepo, store, console.HandlerPrefix+"/", op.AuthCallbackURL(oidcProvider), provider.AuthCallbackURL(samlProvider), config.ExternalSecure, userAgentInterceptor, op.NewIssuerInterceptor(oidcProvider.IssuerFromRequest).Handler, provider.NewIssuerInterceptor(samlProvider.IssuerFromRequest).Handler, instanceInterceptor.Handler, assetsCache.Handler, keys.User, keys.IDPConfig, keys.CSRFCookieKey)
 	if err != nil {
 		return fmt.Errorf("unable to start login: %w", err)
 	}