Fix #2560 SAML Broker: Add option to validate IdP Entity ID (#2561)

2022-05-04 10:40:58 +02:00 · 2022-05-04 10:40:58 +02:00 · 1c23a0f1a7
commit 1c23a0f1a7
parent 3c55d72517
3 changed files with 20 additions and 0 deletions
--- a/public/resources/en/identity-providers-help.json
+++ b/public/resources/en/identity-providers-help.json
@ -36,6 +36,7 @@
  "postBrokerLoginFlowAlias": "Alias of authentication flow, which is triggered after each login with this identity provider. Useful if you want additional verification of each user authenticated with this identity provider (for example OTP). Leave this to \"None\" if you need no any additional authenticators to be triggered after login with this identity provider. Also note that authenticator implementations must assume that user is already set in ClientSession as identity provider already set it.",
  "syncMode": "Default sync mode for all mappers. The sync mode determines when user data will be synced using the mappers. Possible values are: 'legacy' to keep the behaviour before this option was introduced, 'import' to only import the user once during first login of the user with this identity provider, 'force' to always update the user during every login with this identity provider.",
  "serviceProviderEntityId": "The Entity ID that will be used to uniquely identify this SAML Service Provider.",
+  "identityProviderEntityId": "The Entity ID used to validate the Issuer for received SAML assertions. If empty, no Issuer validation is performed.",
  "useEntityDescriptor": "Import metadata from a remote IDP SAML entity descriptor.",
  "samlEntityDescriptor": "Allows you to load external IDP metadata from a config file or to download it from a URL.",
  "ssoServiceUrl": "The Url that must be used to send authentication requests (SAML AuthnRequest).",
--- a/public/resources/en/identity-providers.json
+++ b/public/resources/en/identity-providers.json
@ -84,6 +84,7 @@
  "signServiceProviderMetadata": "Sign service provider metadata",
  "passSubject": "Pass subject",
  "serviceProviderEntityId": "Service provider entity ID",
+  "identityProviderEntityId": "Identity provider entity ID",
  "importConfig": "Import config from file",
  "showMetaData": "Show metadata",
  "hideMetaData": "Hide metadata",
--- a/src/identity-providers/add/DescriptorSettings.tsx
+++ b/src/identity-providers/add/DescriptorSettings.tsx
@ -74,6 +74,24 @@ const Fields = ({ readOnly }: DescriptorSettingsProps) => {
          ref={register()}
        />
      </FormGroup>
+      <FormGroup
+        label={t("identityProviderEntityId")}
+        fieldId="kc-identity-provider-entity-id"
+        labelIcon={
+          <HelpItem
+            helpText="identity-providers-help:identityProviderEntityId"
+            fieldLabelId="identity-providers:identityProviderEntityId"
+          />
+        }
+      >
+        <KeycloakTextInput
+          type="text"
+          name="config.idpEntityId"
+          data-testid="identityProviderEntityId"
+          id="kc-identity-provider-entity-id"
+          ref={register()}
+        />
+      </FormGroup>
      <FormGroup
        label={t("ssoServiceUrl")}
        labelIcon={