feat(saml): implementation of saml for ZITADEL v2 (#3618)

2025-08-11 21:37:32 +00:00 · 2022-09-12 17:18:08 +01:00
parent 01a92ba5d9
commit 7a5f7f82cf
134 changed files with 5570 additions and 1293 deletions
--- a/proto/zitadel/app.proto
+++ b/proto/zitadel/app.proto
@@ -30,6 +30,7 @@ message App {
    oneof config {
        OIDCConfig oidc_config = 5;
        APIConfig api_config = 6;
+        SAMLConfig saml_config = 7;
    }
 }

@@ -198,6 +199,13 @@ enum OIDCTokenType {
    OIDC_TOKEN_TYPE_JWT = 1;
 }

+message SAMLConfig {
+    oneof metadata{
+        bytes metadata_xml = 1;
+        string metadata_url = 2;
+    }
+}
+
 enum APIAuthMethodType {
    API_AUTH_METHOD_TYPE_BASIC = 0;
    API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT = 1;
--- a/proto/zitadel/management.proto
+++ b/proto/zitadel/management.proto
@@ -1298,14 +1298,28 @@ service ManagementService {
        };
    }

-    // Adds a new api application
-    // Returns a client id
-    // Returns a new generated secret if needed (Depending on the configuration)
-    rpc AddAPIApp(AddAPIAppRequest) returns (AddAPIAppResponse) {
-        option (google.api.http) = {
-            post: "/projects/{project_id}/apps/api"
-            body: "*"
-        };
+  // Adds a new saml service provider
+  // Returns a entityID
+  rpc AddSAMLApp(AddSAMLAppRequest) returns (AddSAMLAppResponse) {
+    option (google.api.http) = {
+      post: "/projects/{project_id}/apps/saml"
+      body: "*"
+    };
+
+    option (zitadel.v1.auth_option) = {
+      permission: "project.app.write"
+      check_field_name: "ProjectId"
+    };
+  }
+
+  // Adds a new api application
+  // Returns a client id
+  // Returns a new generated secret if needed (Depending on the configuration)
+  rpc AddAPIApp(AddAPIAppRequest) returns (AddAPIAppResponse) {
+    option (google.api.http) = {
+      post: "/projects/{project_id}/apps/api"
+      body: "*"
+    };

        option (zitadel.v1.auth_option) = {
            permission: "project.app.write"
@@ -1339,12 +1353,25 @@ service ManagementService {
        };
    }

-    // Changes the configuration of the api application
-    rpc UpdateAPIAppConfig(UpdateAPIAppConfigRequest) returns (UpdateAPIAppConfigResponse) {
-        option (google.api.http) = {
-            put: "/projects/{project_id}/apps/{app_id}/api_config"
-            body: "*"
-        };
+  // Changes the configuration of the saml application
+  rpc UpdateSAMLAppConfig(UpdateSAMLAppConfigRequest) returns (UpdateSAMLAppConfigResponse) {
+    option (google.api.http) = {
+      put: "/projects/{project_id}/apps/{app_id}/saml_config"
+      body: "*"
+    };
+
+    option (zitadel.v1.auth_option) = {
+      permission: "project.app.write"
+      check_field_name: "ProjectId"
+    };
+  }
+
+  // Changes the configuration of the api application
+  rpc UpdateAPIAppConfig(UpdateAPIAppConfigRequest) returns (UpdateAPIAppConfigResponse) {
+    option (google.api.http) = {
+      put: "/projects/{project_id}/apps/{app_id}/api_config"
+      body: "*"
+    };

        option (zitadel.v1.auth_option) = {
            permission: "project.app.write"
@@ -3954,6 +3981,21 @@ message AddOIDCAppResponse {
    repeated zitadel.v1.LocalizedMessage compliance_problems = 6;
 }

+message AddSAMLAppRequest {
+  string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  oneof metadata {
+      option (validate.required) = true;
+      bytes metadata_xml = 3 [(validate.rules).bytes.max_len = 500000];
+      string metadata_url = 4 [(validate.rules).string.max_len = 200];
+  }
+}
+
+message AddSAMLAppResponse {
+  string app_id = 1;
+  zitadel.v1.ObjectDetails details = 2;
+}
+
 message AddAPIAppRequest {
    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
    string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
@@ -4007,7 +4049,22 @@ message UpdateOIDCAppConfigRequest {
 }

 message UpdateOIDCAppConfigResponse {
-    zitadel.v1.ObjectDetails details = 1;
+  zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateSAMLAppConfigRequest {
+  string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  string app_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+
+  oneof metadata {
+      option (validate.required) = true;
+      bytes metadata_xml = 3 [(validate.rules).bytes.max_len = 500000];
+      string metadata_url = 4 [(validate.rules).string.max_len = 200];
+  }
+}
+
+message UpdateSAMLAppConfigResponse {
+  zitadel.v1.ObjectDetails details = 1;
 }

 message UpdateAPIAppConfigRequest {