fix(saml): improve error handling (#8928)

# Which Problems Are Solved

There are multiple issues with the metadata and error handling of SAML:
- When providing a SAML metadata for an IdP, which cannot be processed,
the error will only be noticed once a user tries to use the IdP.
- Parsing for metadata with any other encoding than UTF-8 fails.
- Metadata containing an enclosing EntitiesDescriptor around
EntityDescriptor cannot be parsed.
- Metadata's `validUntil` value is always set to 48 hours, which causes
issues on external providers, if processed from a manual down/upload.
- If a SAML response cannot be parsed, only a generic "Authentication
failed" error is returned, the cause is hidden to the user and also to
actions.

# How the Problems Are Solved

- Return parsing errors after create / update and retrieval of an IdP in
the API.
- Prevent the creation and update of an IdP in case of a parsing
failure.
- Added decoders for encodings other than UTF-8 (including ASCII,
windows and ISO, [currently
supported](efd25daf28/encoding/ianaindex/ianaindex.go (L156)))
- Updated parsing to handle both `EntitiesDescriptor` and
`EntityDescriptor` as root element
- `validUntil` will automatically set to the certificate's expiration
time
- Unwrapped the hidden error to be returned. The Login UI will still
only provide a mostly generic error, but action can now access the
underlying error.

# Additional Changes

None

# Additional Context

reported by a customer

internal/idp/providers/saml/saml.go

@@ -1,15 +1,19 @@
 package saml
 
 import (
+	"bytes"
 	"context"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/xml"
+	"io"
 	"net/url"
+	"time"
 
 	"github.com/crewjam/saml"
 	"github.com/crewjam/saml/samlsp"
+	"golang.org/x/text/encoding/ianaindex"
 
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/idp"
@@ -104,6 +108,41 @@ func WithEntityID(entityID string) ProviderOpts {
 	}
 }
 
+// ParseMetadata parses the metadata with the provided XML encoding and returns the EntityDescriptor
+func ParseMetadata(metadata []byte) (*saml.EntityDescriptor, error) {
+	entityDescriptor := new(saml.EntityDescriptor)
+	reader := bytes.NewReader(metadata)
+	decoder := xml.NewDecoder(reader)
+	decoder.CharsetReader = func(charset string, reader io.Reader) (io.Reader, error) {
+		enc, err := ianaindex.IANA.Encoding(charset)
+		if err != nil {
+			return nil, err
+		}
+		return enc.NewDecoder().Reader(reader), nil
+	}
+	if err := decoder.Decode(entityDescriptor); err != nil {
+		if err.Error() == "expected element type <EntityDescriptor> but have <EntitiesDescriptor>" {
+			// reset reader to start of metadata so we can try to parse it as an EntitiesDescriptor
+			if _, err := reader.Seek(0, io.SeekStart); err != nil {
+				return nil, err
+			}
+			entities := &saml.EntitiesDescriptor{}
+			if err := decoder.Decode(entities); err != nil {
+				return nil, err
+			}
+
+			for i, e := range entities.EntityDescriptors {
+				if len(e.IDPSSODescriptors) > 0 {
+					return &entities.EntityDescriptors[i], nil
+				}
+			}
+			return nil, zerrors.ThrowInternal(nil, "SAML-Ejoi3r2", "no entity found with IDPSSODescriptor")
+		}
+		return nil, err
+	}
+	return entityDescriptor, nil
+}
+
 func New(
 	name string,
 	rootURLStr string,
@@ -112,8 +151,8 @@ func New(
 	key []byte,
 	options ...ProviderOpts,
 ) (*Provider, error) {
-	entityDescriptor := new(saml.EntityDescriptor)
-	if err := xml.Unmarshal(metadata, entityDescriptor); err != nil {
+	entityDescriptor, err := ParseMetadata(metadata)
+	if err != nil {
 		return nil, err
 	}
 	keyPair, err := tls.X509KeyPair(certificate, key)
@@ -180,6 +219,7 @@ func (p *Provider) GetSP() (*samlsp.Middleware, error) {
 	if p.binding != "" {
 		sp.Binding = p.binding
 	}
+	sp.ServiceProvider.MetadataValidDuration = time.Until(sp.ServiceProvider.Certificate.NotAfter)
 	return sp, nil
 }
 

internal/idp/providers/saml/saml_test.go

@@ -1,6 +1,7 @@
 package saml
 
 import (
+	"encoding/xml"
 	"testing"
 
 	"github.com/crewjam/saml"
@@ -10,6 +11,7 @@ import (
 
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/idp/providers/saml/requesttracker"
+	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
 func TestProvider_Options(t *testing.T) {
@@ -170,3 +172,111 @@ func TestProvider_Options(t *testing.T) {
 		})
 	}
 }
+
+func TestParseMetadata(t *testing.T) {
+	type args struct {
+		metadata []byte
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *saml.EntityDescriptor
+		wantErr error
+	}{
+		{
+			"invalid",
+			args{
+				metadata: []byte(`<Test></Test>`),
+			},
+			nil,
+			xml.UnmarshalError("expected element type <EntityDescriptor> but have <Test>"),
+		},
+		{
+			"valid entity descriptor",
+			args{
+				metadata: []byte(`<?xml version="1.0" encoding="UTF-8"?><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://localhost:8000/metadata"><IDPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8000/sso"></SingleSignOnService></IDPSSODescriptor></EntityDescriptor>`),
+			},
+			&saml.EntityDescriptor{
+				EntityID: "http://localhost:8000/metadata",
+				IDPSSODescriptors: []saml.IDPSSODescriptor{
+					{
+						XMLName: xml.Name{
+							Space: "urn:oasis:names:tc:SAML:2.0:metadata",
+							Local: "IDPSSODescriptor",
+						},
+						SingleSignOnServices: []saml.Endpoint{
+							{
+								Binding:  saml.HTTPRedirectBinding,
+								Location: "http://localhost:8000/sso",
+							},
+						},
+					},
+				},
+			},
+			nil,
+		},
+		{
+			"valid entity descriptor, non utf-8",
+			args{
+				metadata: []byte(`<?xml version="1.0" encoding="windows-1252"?><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://localhost:8000/metadata"><IDPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8000/sso"></SingleSignOnService></IDPSSODescriptor></EntityDescriptor>`),
+			},
+			&saml.EntityDescriptor{
+				EntityID: "http://localhost:8000/metadata",
+				IDPSSODescriptors: []saml.IDPSSODescriptor{
+					{
+						XMLName: xml.Name{
+							Space: "urn:oasis:names:tc:SAML:2.0:metadata",
+							Local: "IDPSSODescriptor",
+						},
+						SingleSignOnServices: []saml.Endpoint{
+							{
+								Binding:  saml.HTTPRedirectBinding,
+								Location: "http://localhost:8000/sso",
+							},
+						},
+					},
+				},
+			},
+			nil,
+		},
+		{
+			"entities descriptor without IDPSSODescriptor",
+			args{
+				metadata: []byte(`<?xml version="1.0" encoding="UTF-8"?><EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://localhost:8000/metadata"></EntityDescriptor></EntitiesDescriptor>`),
+			},
+			nil,
+			zerrors.ThrowInternal(nil, "SAML-Ejoi3r2", "no entity found with IDPSSODescriptor"),
+		},
+		{
+			"valid entities descriptor",
+			args{
+				metadata: []byte(`<?xml version="1.0" encoding="UTF-8"?><EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://localhost:8000/metadata"><IDPSSODescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"><SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8000/sso"></SingleSignOnService></IDPSSODescriptor></EntityDescriptor></EntitiesDescriptor>`),
+			},
+			&saml.EntityDescriptor{
+				EntityID: "http://localhost:8000/metadata",
+				IDPSSODescriptors: []saml.IDPSSODescriptor{
+					{
+						XMLName: xml.Name{
+							Space: "urn:oasis:names:tc:SAML:2.0:metadata",
+							Local: "IDPSSODescriptor",
+						},
+						SingleSignOnServices: []saml.Endpoint{
+							{
+								Binding:  saml.HTTPRedirectBinding,
+								Location: "http://localhost:8000/sso",
+							},
+						},
+					},
+				},
+			},
+			nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ParseMetadata(tt.args.metadata)
+			assert.ErrorIs(t, err, tt.wantErr)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

internal/idp/providers/saml/session.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/crewjam/saml"
 	"github.com/crewjam/saml/samlsp"
-	"github.com/zitadel/logging"
 
 	"github.com/zitadel/zitadel/internal/idp"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -71,7 +70,7 @@ func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {
 	if err != nil {
 		invalidRespErr := new(saml.InvalidResponseError)
 		if errors.As(err, &invalidRespErr) {
-			logging.WithError(invalidRespErr.PrivateErr).Info("invalid SAML response details")
+			return nil, zerrors.ThrowInvalidArgument(invalidRespErr.PrivateErr, "SAML-ajl3irfs", "Errors.Intent.ResponseInvalid")
 		}
 		return nil, zerrors.ThrowInvalidArgument(err, "SAML-nuo0vphhh9", "Errors.Intent.ResponseInvalid")
 	}

internal/idp/providers/saml/session_test.go

@@ -134,7 +134,7 @@ func TestSession_FetchUser(t *testing.T) {
 				requestID: "id-b22c90db88bf01d82ffb0a7b6fe25ac9fcb2c679",
 			},
 			want: want{
-				err: zerrors.ThrowInvalidArgument(nil, "SAML-nuo0vphhh9", "Errors.Intent.ResponseInvalid"),
+				err: zerrors.ThrowInvalidArgument(nil, "SAML-ajl3irfs", "Errors.Intent.ResponseInvalid"),
 			},
 		},
 		{