[PM-5149] unique SP entity id for organization sso configs (#3520)

* org specific sp entity id * updates * dont default true
2024-11-21 12:05:42 +01:00 · 2024-01-18 16:54:01 -05:00 · 2024-01-18 16:54:01 -05:00 · 4b6299a055
commit 4b6299a055
parent ef359c3cf1
4 changed files with 9 additions and 2 deletions
--- a/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
+++ b/bitwarden_license/src/Sso/Utilities/DynamicAuthenticationSchemeProvider.cs
@ -349,7 +349,9 @@ public class DynamicAuthenticationSchemeProvider : AuthenticationSchemeProvider
        }

        var spEntityId = new Sustainsys.Saml2.Metadata.EntityId(
-            SsoConfigurationData.BuildSaml2ModulePath(_globalSettings.BaseServiceUri.Sso));
+            SsoConfigurationData.BuildSaml2ModulePath(
+                _globalSettings.BaseServiceUri.Sso,
+                config.SpUniqueEntityId ? name : null));
        bool? allowCreate = null;
        if (config.SpNameIdFormat != Saml2NameIdFormat.Transient)
        {
--- a/src/Api/Auth/Models/Request/OrganizationSsoRequestModel.cs
+++ b/src/Api/Auth/Models/Request/OrganizationSsoRequestModel.cs
@ -66,6 +66,7 @@ public class SsoConfigurationDataRequest : IValidatableObject
    public string ExpectedReturnAcrValue { get; set; }

    // SAML2 SP
+    public bool? SpUniqueEntityId { get; set; }
    public Saml2NameIdFormat SpNameIdFormat { get; set; }
    public string SpOutboundSigningAlgorithm { get; set; }
    public Saml2SigningBehavior SpSigningBehavior { get; set; }
@ -190,6 +191,7 @@ public class SsoConfigurationDataRequest : IValidatableObject
            IdpAllowUnsolicitedAuthnResponse = IdpAllowUnsolicitedAuthnResponse.GetValueOrDefault(),
            IdpDisableOutboundLogoutRequests = IdpDisableOutboundLogoutRequests.GetValueOrDefault(),
            IdpWantAuthnRequestsSigned = IdpWantAuthnRequestsSigned.GetValueOrDefault(),
+            SpUniqueEntityId = SpUniqueEntityId.GetValueOrDefault(),
            SpNameIdFormat = SpNameIdFormat,
            SpOutboundSigningAlgorithm = SpOutboundSigningAlgorithm ?? SamlSigningAlgorithms.Sha256,
            SpSigningBehavior = SpSigningBehavior,
--- a/src/Api/Auth/Models/Response/OrganizationSsoResponseModel.cs
+++ b/src/Api/Auth/Models/Response/OrganizationSsoResponseModel.cs
@ -33,7 +33,8 @@ public class SsoUrls
    {
        CallbackPath = SsoConfigurationData.BuildCallbackPath(globalSettings.BaseServiceUri.Sso);
        SignedOutCallbackPath = SsoConfigurationData.BuildSignedOutCallbackPath(globalSettings.BaseServiceUri.Sso);
-        SpEntityId = SsoConfigurationData.BuildSaml2ModulePath(globalSettings.BaseServiceUri.Sso);
+        SpEntityIdStatic = SsoConfigurationData.BuildSaml2ModulePath(globalSettings.BaseServiceUri.Sso);
+        SpEntityId = SsoConfigurationData.BuildSaml2ModulePath(globalSettings.BaseServiceUri.Sso, organizationId);
        SpMetadataUrl = SsoConfigurationData.BuildSaml2MetadataUrl(globalSettings.BaseServiceUri.Sso, organizationId);
        SpAcsUrl = SsoConfigurationData.BuildSaml2AcsUrl(globalSettings.BaseServiceUri.Sso, organizationId);
    }
@ -41,6 +42,7 @@ public class SsoUrls
    public string CallbackPath { get; set; }
    public string SignedOutCallbackPath { get; set; }
    public string SpEntityId { get; set; }
+    public string SpEntityIdStatic { get; set; }
    public string SpMetadataUrl { get; set; }
    public string SpAcsUrl { get; set; }
 }
--- a/src/Core/Auth/Models/Data/SsoConfigurationData.cs
+++ b/src/Core/Auth/Models/Data/SsoConfigurationData.cs
@ -70,6 +70,7 @@ public class SsoConfigurationData
    public bool IdpWantAuthnRequestsSigned { get; set; }

    // SAML2 SP
+    public bool SpUniqueEntityId { get; set; }
    public Saml2NameIdFormat SpNameIdFormat { get; set; }
    public string SpOutboundSigningAlgorithm { get; set; }
    public Saml2SigningBehavior SpSigningBehavior { get; set; }