Add acr value into User Authentication (#3127)

re-establish IT

see former retrieval
https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L292-L298

Author: strehle

server/build.gradle

@@ -26,6 +26,7 @@ dependencies {
     implementation(libraries.owaspEsapi) {
         transitive = false
     }
+    implementation(libraries.openSamlApi)
     implementation(libraries.springSecuritySamlServiceProvider)
     implementation(libraries.jodaTime)
     implementation(libraries.xmlSecurity)

server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/SamlUaaAuthenticationAttributesConverter.java

@@ -1,17 +1,22 @@
 package org.cloudfoundry.identity.uaa.provider.saml;
 
-import lombok.Getter;
 import lombok.extern.slf4j.Slf4j;
 import org.cloudfoundry.identity.uaa.provider.SamlIdentityProviderDefinition;
+import org.opensaml.core.xml.schema.XSURI;
 import org.opensaml.saml.saml2.core.Assertion;
+import org.opensaml.saml.saml2.core.AuthnContext;
+import org.opensaml.saml.saml2.core.AuthnStatement;
 import org.opensaml.saml.saml2.core.Response;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
+import org.springframework.util.ObjectUtils;
 
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 
 import static org.cloudfoundry.identity.uaa.provider.ExternalIdentityProviderDefinition.USER_ATTRIBUTE_PREFIX;
+import static org.cloudfoundry.identity.uaa.provider.saml.SamlUaaResponseAuthenticationConverter.AUTHENTICATION_CONTEXT_CLASS_REFERENCE;
 
 /**
  * Part of the AuthenticationConverter used during SAML login flow.
@@ -40,6 +45,14 @@ public MultiValueMap<String, String> retrieveUserAttributes(SamlIdentityProvider
                     });
                 });
 
+        List<String> authnContextList = assertions.stream().flatMap(assertion -> assertion.getAuthnStatements().stream())
+                .map(AuthnStatement::getAuthnContext).filter(Objects::nonNull)
+                .map(AuthnContext::getAuthnContextClassRef).filter(Objects::nonNull)
+                .map(XSURI::getURI).filter(Objects::nonNull).toList();
+        if (!ObjectUtils.isEmpty(authnContextList)) {
+            userAttributes.addAll(AUTHENTICATION_CONTEXT_CLASS_REFERENCE, authnContextList);
+        }
+
         if (definition != null && definition.getAttributeMappings() != null) {
             definition.getAttributeMappings().forEach((key, attributeKey) -> {
                 if (attributeKey instanceof String && userAttributes.get(attributeKey) != null) {

uaa/src/test/java/org/cloudfoundry/identity/uaa/integration/feature/OIDCLoginIT.java

@@ -44,7 +44,6 @@
 import org.junit.Rule;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.openqa.selenium.By;
@@ -429,7 +428,6 @@ void testShadowUserNameDefaultsToOIDCSubjectClaim() {
     }
 
     @Test
-    @Disabled("SAML test fails: acr value is not set in the id_token")
     void successfulLoginWithOIDC_and_SAML_Provider_PlusRefreshRotation() throws Exception {
         SamlIdentityProviderDefinition saml = IntegrationTestUtils.createSimplePHPSamlIDP("simplesamlphp", OriginKeys.UAA);
         saml.setLinkText("SAML Login");