feat(saml): implementation of saml for ZITADEL v2 (#3618)

internal/api/ui/login/external_login_handler.go

@@ -374,7 +374,7 @@ func (l *Login) handleAutoRegister(w http.ResponseWriter, r *http.Request, authR
 			return
 		}
 		linkingUser = l.mapExternalNotFoundOptionFormDataToLoginUser(data)
-	} 
+	}
 
 	user, externalIDP, metadata := l.mapExternalUserToLoginUser(orgIamPolicy, linkingUser, idpConfig)
 

internal/api/ui/login/login.go

@@ -37,6 +37,7 @@ type Login struct {
 	externalSecure      bool
 	consolePath         string
 	oidcAuthCallbackURL func(context.Context, string) string
+	samlAuthCallbackURL func(context.Context, string) string
 	idpConfigAlg        crypto.EncryptionAlgorithm
 	userCodeAlg         crypto.EncryptionAlgorithm
 }
@@ -61,10 +62,12 @@ func CreateLogin(config Config,
 	staticStorage static.Storage,
 	consolePath string,
 	oidcAuthCallbackURL func(context.Context, string) string,
+	samlAuthCallbackURL func(context.Context, string) string,
 	externalSecure bool,
 	userAgentCookie,
 	issuerInterceptor,
-	instanceHandler,
+	oidcInstanceHandler,
+	samlInstanceHandler mux.MiddlewareFunc,
 	assetCache mux.MiddlewareFunc,
 	userCodeAlg crypto.EncryptionAlgorithm,
 	idpConfigAlg crypto.EncryptionAlgorithm,
@@ -73,6 +76,7 @@ func CreateLogin(config Config,
 
 	login := &Login{
 		oidcAuthCallbackURL: oidcAuthCallbackURL,
+		samlAuthCallbackURL: samlAuthCallbackURL,
 		externalSecure:      externalSecure,
 		consolePath:         consolePath,
 		command:             command,
@@ -91,7 +95,7 @@ func CreateLogin(config Config,
 	cacheInterceptor := createCacheInterceptor(config.Cache.MaxAge, config.Cache.SharedMaxAge, assetCache)
 	security := middleware.SecurityHeaders(csp(), login.cspErrorHandler)
 
-	login.router = CreateRouter(login, statikFS, middleware.TelemetryHandler(IgnoreInstanceEndpoints...), instanceHandler, csrfInterceptor, cacheInterceptor, security, userAgentCookie, issuerInterceptor)
+	login.router = CreateRouter(login, statikFS, middleware.TelemetryHandler(IgnoreInstanceEndpoints...), oidcInstanceHandler, samlInstanceHandler, csrfInterceptor, cacheInterceptor, security, userAgentCookie, issuerInterceptor)
 	login.renderer = CreateRenderer(HandlerPrefix, statikFS, staticStorage, config.LanguageCookieName)
 	login.parser = form.NewParser()
 	return login, nil

internal/api/ui/login/login_success_handler.go

@@ -4,6 +4,7 @@ import (
 	"net/http"
 
 	"github.com/zitadel/zitadel/internal/domain"
+	caos_errs "github.com/zitadel/zitadel/internal/errors"
 )
 
 const (
@@ -43,11 +44,26 @@ func (l *Login) renderSuccessAndCallback(w http.ResponseWriter, r *http.Request,
 		userData: l.getUserData(r, authReq, "Login Successful", errID, errMessage),
 	}
 	if authReq != nil {
-		data.RedirectURI = l.oidcAuthCallbackURL(r.Context(), "") //the id will be set via the html (maybe change this with the login refactoring)
+		//the id will be set via the html (maybe change this with the login refactoring)
+		if _, ok := authReq.Request.(*domain.AuthRequestOIDC); ok {
+			data.RedirectURI = l.oidcAuthCallbackURL(r.Context(), "")
+		} else if _, ok := authReq.Request.(*domain.AuthRequestSAML); ok {
+			data.RedirectURI = l.samlAuthCallbackURL(r.Context(), "")
+		}
 	}
 	l.renderer.RenderTemplate(w, r, l.getTranslator(r.Context(), authReq), l.renderer.Templates[tmplLoginSuccess], data, nil)
 }
 
 func (l *Login) redirectToCallback(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest) {
-	http.Redirect(w, r, l.oidcAuthCallbackURL(r.Context(), authReq.ID), http.StatusFound)
+	var callback string
+	switch authReq.Request.(type) {
+	case *domain.AuthRequestOIDC:
+		callback = l.oidcAuthCallbackURL(r.Context(), authReq.ID)
+	case *domain.AuthRequestSAML:
+		callback = l.samlAuthCallbackURL(r.Context(), authReq.ID)
+	default:
+		l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(nil, "LOGIN-rhjQF", "Errors.AuthRequest.RequestTypeNotSupported"))
+		return
+	}
+	http.Redirect(w, r, callback, http.StatusFound)
 }