Skip to content

[8.19][Backport] Implement SAML custom attributes support for Identity Provider #128796

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 3, 2025
Merged

[8.19][Backport] Implement SAML custom attributes support for Identity Provider #128796

merged 2 commits into from
Jun 3, 2025

Conversation

lloydmeta
Copy link
Member

@lloydmeta lloydmeta commented Jun 3, 2025
edited
Loading

Backports #128176 to 8.19

lloydmeta and others added 2 commits June 3, 2025 11:53
@lloydmeta @tvernum
Implement SAML custom attributes support for Identity Provider (elast…
88a0f74 
…ic#128176)

* Implement SAML custom attributes support for Identity Provider

This commit adds support for custom attributes in SAML single sign-on requests
in the Elasticsearch X-Pack Identity Provider plugin. This feature allows
passage of custom key-value attributes in SAML requests and responses.

Key components:
- Added SamlInitiateSingleSignOnAttributes class for holding attributes
- Added validation for null and empty attribute keys
- Updated request and response objects to handle attributes
- Modified authentication flow to process attributes
- Added test coverage to validate attributes functionality

The implementation follows Elasticsearch patterns with robust validation
and serialization mechanisms, while maintaining backward compatibility.

* Add test for SAML custom attributes in authentication response

This commit adds a comprehensive test that verifies SAML custom attributes
are correctly handled in the authentication response builder. The test ensures:

1. Custom attributes with single and multiple values are properly included
2. The response with custom attributes is still correctly signed
3. The XML schema validation still passes with custom attributes
4. We can locate and verify individual attribute values in the response

This provides critical test coverage for the SAML custom attributes
feature implementation.

* Add backward compatibility overload for SuccessfulAuthenticationResponseMessageBuilder.build

This commit adds an overloaded build method that accepts only two parameters
(user and authenticationState) and forwards the call to the three-parameter
version with null for the customAttributes parameter. This maintains backward
compatibility with existing code that doesn't use custom attributes.

This fixes a compilation error in ServerlessSsoIT.java which was still using
the two-parameter method signature.

Signed-off-by: lloydmeta <[email protected]>

* Add validation for duplicate SAML attribute keys

This commit enhances the SAML attributes implementation by adding validation
for duplicate attribute keys. When the same attribute key appears multiple
times in a request, the validation will now fail with a clear error message.

Signed-off-by: lloydmeta <[email protected]>

* Refactor SAML attributes validation to follow standard patterns

This commit improves the SAML attributes validation by:

1. Adding a dedicated validate() method to SamlInitiateSingleSignOnAttributes
   that centralizes validation logic in one place
2. Moving validation from constructor to dedicated method for better error reporting
3. Checking both for null/empty keys and duplicate keys in the validate() method
4. Updating SamlInitiateSingleSignOnRequest to use the new validation method
5. Adding comprehensive tests for the new validation approach

These changes follow standard Elasticsearch validation patterns, making the
code more maintainable and consistent with the rest of the codebase.

* Update docs/changelog/128176.yaml

* Improve SAML response validation in identity provider tests

Enhanced the testCustomAttributesInIdpInitiatedSso test to properly validate
both SAML response structure and custom attributes using DOM parsing and XPath.

Key improvements:
- Validate SAML Response/Assertion elements exist
- Precisely validate custom attributes (department, region) and their values
- Use namespace-aware XML parsing for resilience to format changes

Signed-off-by: lloydmeta <[email protected]>

* Simplify SAML attributes representation using JSON object/Map structure

Also, replace internal Attribute class list with a simpler Map<String, List<String>>
structure

This change:

- Removes the redundant Attribute class and replaces it with a direct Map
  implementation for storing attribute key-value pairs
- Eliminates the duplicate "attributes" nesting in the JSON structure
- Simplifies attribute validation without needing duplicate key checking

- Updates all related tests and integration points to work with the new structure

Before:

```js
{
  // others
  "attributes": {
    "attributes": [
      {
        "key": "department",
        "values": ["engineering", "product"]
      }
    ]
  }
}

After:

```js
{
  // other
  "attributes": {
    "department": ["engineering", "product"]
  }
}
```

(Verified by spitting out JSON entity in IdentityProviderAuthenticationIT.generateSamlResponseWithAttributes
... saw `{"entity_id":"ec:123456:abcdefg","acs":"https://sp1.test.es.elasticsearch.org/saml/acs","attributes":{"department":["engineering","product"],"region":["APJ"]}}`)

Signed-off-by: lloydmeta <[email protected]>

* * Fix up toString dangling quote.

Signed-off-by: lloydmeta <[email protected]>

* * Remove attributes from Response object.

Signed-off-by: lloydmeta <[email protected]>

* * Remove friendly name.
* Make attributes map final in SamlInitiateSingleSignOnAttributes

Signed-off-by: lloydmeta <[email protected]>

* * Cleanup serdes by using existing utils in the ES codebase

Signed-off-by: lloydmeta <[email protected]>

* Touchup comment

Signed-off-by: lloydmeta <[email protected]>

* Update x-pack/plugin/identity-provider/src/test/java/org/elasticsearch/xpack/idp/action/SamlInitiateSingleSignOnRequestTests.java

Co-authored-by: Tim Vernum <[email protected]>

* Add transport-version checks

---------

Signed-off-by: lloydmeta <[email protected]>
Co-authored-by: Tim Vernum <[email protected]>
@lloydmeta
* TV fixups
8d5847f 
Signed-off-by: lloydmeta <[email protected]>
@elasticsearchmachine elasticsearchmachine added external-contributor Pull request authored by a developer outside the Elasticsearch team v8.19.0 labels Jun 3, 2025
@lloydmeta lloydmeta changed the title Backport/8.19/pr 128176 [8.19][Backport] Implement SAML custom attributes support for Identity Provider Jun 3, 2025
@lloydmeta lloydmeta added >non-issue backport Team:Security Meta label for security team :Security/IdentityProvider Identity Provider (SSO) project in X-Pack labels Jun 3, 2025
@lloydmeta lloydmeta requested a review from tvernum June 3, 2025 03:06
@lloydmeta lloydmeta marked this pull request as ready for review June 3, 2025 03:39
@lloydmeta lloydmeta self-assigned this Jun 3, 2025
@lloydmeta lloydmeta merged commit b24fff4 into elastic:8.19 Jun 3, 2025
15 checks passed
@lloydmeta lloydmeta deleted the backport/8.19/pr-128176 branch June 3, 2025 04:27
@lloydmeta lloydmeta mentioned this pull request Jun 3, 2025
Merged
@tvernum tvernum mentioned this pull request Jun 13, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tvernum tvernum tvernum approved these changes

Assignees

@lloydmeta lloydmeta

Labels
backport external-contributor Pull request authored by a developer outside the Elasticsearch team >non-issue :Security/IdentityProvider Identity Provider (SSO) project in X-Pack Team:Security Meta label for security team v8.19.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lloydmeta @tvernum @elasticsearchmachine